CVE

Common Vulnerabilities and Exposures (CVE) IDs are a unique identifiers given to security flaws. The CVE FAQ describes it best. CVE has be come a de facto standard for identifying vulnerabilities and security flaws.

A1. What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate   
vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Obtaining a CVE id

CVE monitors common vulnerability disclosure sources and assigns CVEs as new vulnerabilities are reported. To obtain a CVE before public disclosure, contact CVE or another CVE Numbering Authority (CNA). CVE IDs for publicly-disclosed vulnerabilities in Open Source software are best obtained by posting a request to the oss-security mailing list.

See also:

Information for CVE request

Required

  1. Email address of requester (so we can contact them)
  2. Software name and optionally vendor name
  3. At least one of (to determine is this a security issue):
    1. Type of vulnerability
    2. Exploitation vectors
    3. Attack outcome
  4. For Open Source at least one of:
    1. Link to vulnerable source code or fix
    2. Link to source code change log
    3. Link to security advisory
    4. Link to bug entry
    5. Request comes from project member (a.k.a. “trust me, it's a problem”)
  5. Affected version(s) (3.2.4, 3.x, current version, all current releases, something)
  6. Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign)
  7. Is this an Open Source or commercial software request
  8. Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to distros@?)
  9. If multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge).

REQUESTED

  1. More of the above information of course
  2. Software version(s) fixed (if available)
  3. For closed source any of the information from “For Open Source at least one of:”
  4. Any additional information
disclosure/cve.txt · Last modified: 2014/06/04 17:52 by solar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux Bookmark and Share