1-877-805-7475

Contact Us

Login

GET STARTED

How to Publish a CVE Vulnerability

Table of Contents

A computer security vulnerability is a weakness that can be exploited by a hacker. These weaknesses can be found in the software, hardware, or firmware of a computer system. Common Vulnerabilities and Exposures (CVE) is a dictionary of computer security vulnerabilities. It is maintained by the MITRE Corporation and is used by government agencies, businesses, and researchers to share information about security vulnerabilities. In this blog post, we will discuss the process of publishing a CVE vulnerability.

Confirm that your vulnerability is new

You have identified a new computer vulnerability in a software product. The first step is to ensure that this vulnerability is new by doing searches. If your searching in any of the following repositories indicates that your vulnerability has already been assigned a CVE identifier, then it’s not new and it doesn’t need to be published.

CVE

The first database to search is Mitre’s CVE catalog. The CVE catalog is a list of computer security vulnerabilities that have been assigned a CVE identifier.

The National Vulnerability Database (NVD)

Another place to search is the National Vulnerability Database (NVD). The NVD is a repository of computer security vulnerabilities maintained by the US government.

GitHub, ExploitDB, and PacketStorm

Among the other databases worth searching are GitHub, ExploitDB, and PacketStorm. These are repositories of computer security exploits.

Google

It doesn’t hurt to also do a quick search on Google. Just be aware that some of the results may not be accurate. The reason for this is that Google indexes CVE identifiers and sometimes includes them in the search results even if the vulnerability has not yet been assigned a CVE identifier.

Contact the vendor of the affected product

When your searches allow you to confirm that the vulnerability you’ve identified is new, the next step is to contact the vendor of the affected product. The vendor is the company that makes the software, hardware, or firmware in which you’ve found the vulnerability.

From that point, several scenarios can unfold:

If the vendor is cooperative

You’ve contacted the product owner to alert them to the new computer security vulnerability. They are cooperative and want to work with you to resolve the issue. The vendor will assign a CVE identifier and add the entry to their security advisory.

If the vendor is uncooperative

You’ve contacted the product owner, but they do not want to work with you. They may be uncooperative for any number of reasons. In this case, you can still submit a request to the CVE dictionary to have a CVE identifier assigned.

If the vendor is non-responsive

You’ve contacted the product owner, but you don’t get a response. This is known as being “non-responsive.” In this case, you can also submit a request to the CVE dictionary to have a CVE identifier assigned.

If the vendor offers a bug bounty

If the vendor decides to offer a bug bounty, they will issue a request for information (RFI) to solicit reports of computer security vulnerabilities. The RFI will include a list of criteria that must be met for the submission to be eligible for the bug bounty.

Publish your vulnerability in the CVE catalog

The publishing process can be broken down into the following steps:

Gather information about the vulnerability

The information you’ll need to pull together includes the following:

  • Attack type
  • Impact
  • Affected component
  • Attack vector
  • How the vendor acknowledged the vulnerability
  • Some public references

MITRE even provides their own description templates:

  • [VULNTYPE] in [COMPONENT] in [VENDOR][PRODUCT] [VERSION] allows [ATTACKER] to [IMPACT] via [VECTOR].
  • [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Create a CVE request

A CVE request is simply a request to have a CVE identifier assigned. The request must include all of the information mentioned above.

Submit the CVE Request

After you send your CVE request, it will be reviewed and, if approved, your vulnerability will be assigned a CVE identifier and be published. In any case, always make sure that your newly found vulnerability follows a responsible disclosure process agreed with the vendor.

Wrapping up

Finding a new vulnerability and having it published in the CVE catalog can be a gratifying experience. For some vulnerability researchers, it could mean a great career boost. At any rate, following a strict ethical approach that includes the vendor’s agreement is essential at any stage of this publishing process. Adhering to responsible disclosure also helps ensure that the vendor releases a patch before the vulnerability gets published, thus keeping the attackers at bay.

In the same spirit, improving your application security by identifying and fixing your vulnerabilities before an attacker can exploit them only makes sense.

If you need help testing your systems to fix their vulnerabilities, contact us.

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Share this article on social media:

Recent Blog Posts

Enterprise Cybersecurity Threats: Mitigation Strategies

Best Practices

CDAP grant: Cybersecurity Guidance by CDAP Digital Advisor

Cybersecurity Grant

Cheap Penetration Testing Options and What to Expect from Them

Penetration Testing

Types of SQL Injection

Application Security

Recent Cybersecurity Incidents

Security Incidents

Best Cybersecurity Certifications in 2023

Certifications

Top Supply Chain Cybersecurity Risks

Cybersecurity Trends

What Is Cybersecurity Risk Management?

Enterprise Security

View more recent posts →

Featured Services

017_03_Artboard 57

Web Application Penetration Testing

External Network Penetration Testing

017_03_Artboard 54

Internal Network Penetration Testing

Medical Device Penetration Testing

020_01_Artboard 85

Cloud Infrastructure Penetration Testing

013_Artboard 8

Enterprise
Cybersecurity Audit

Categories

Need Help With Your Cybersecurity Risks?

LEARN MORE

The Latest Blog Articles From Vumetric

From industry trends,  to recommended best practices, read it here first:

VIEW MORE BLOG ARTICLES →

GET STARTED TODAY

Tell us About your Needs
Get an Answer the Same Business Day

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

What happens next:

A Vumetric expert will contact you to learn more about your cybersecurity needs and goals.

The project's scope will be defined (Target environment, deadlines, requirements, etc.)

A detailed quote including all-inclusive pricing and statement of work is sent to you.

PCI-DSS
This field is for validation purposes and should be left unchanged.

Have a Question?

CONTACT US
Got an Urgent Need?
1-877-805-7475

Stay Updated on Cyber Risks

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

This field is for validation purposes and should be left unchanged.
1-877-805-7475
Contact us
© 2024 Vumetric Inc. All Rights Reserved.
Twitter Linkedin-in Facebook-f Rss
Privacy Policy    |    Contact Us    |    About
2024 EDITION

PENETRATION TESTING Buyer's Guide

Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.
FREE DOWNLOAD

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.