Versions Compared

Old Version 10

changes.mady.by.user David Ohsie

Saved on

compared with

New Version 11

changes.mady.by.user David Ohsie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Nancy: Point person to get CVE creation process going.

 

Proposed Vulnerability Procedure

...

Public disclosure - CVE, http://cve.mitre.org/, etc

CVE Process

1.        Request CVE-ID from a CNA.

2.       The CNA provides CVE-ID and MITRE creates blank content on CVE website.

3.       The CVE-ID is shared with everyone involved in vulnerability disclosure.

4.       The CVE-ID is included in a vulnerability advisory.

5.       After the CVE is made public the requestor or CNA will notify MITRE.

6.       MITRE update the CVE-ID on website and database.

 

CNA to contact for the CVE-ID:

MITRE can be contacted by email at cve-assign@mitre.org CERT/CC (Third party CNA) has an online form (https://forms.cert.org/VulReport/)

 

The other listed CNAs are probably not good choices.  There is a long list of large software comapanies that run their own CNA for their own vulnerabilities.  Then there are two CNAs for researchers, which have make public p;olicie.  Then there are are the three Third party CNA's.  One is CERT/CC whose contact form I listed above, one is in Japan, the other seems concerned with vital infrastructure vulnerabilities.

 

Basically the choice is do you want to contact the MITRE CNA via email, or fill out a third party CNAs online form.

 

Some of the resources I check out:

http://cve.mitre.org/cve/cna.html

http://www.coresecurity.com/

http://secunia.com/community/advisories/report_vulnerability/

https://www.jpcert.or.jp/english/about/

https://ics-cert.us-cert.gov/

https://www.cert.org/vulnerability-analysis/