Close Menu

    How to request a change to a CVE record

    How to request a change to a CVE record

    Ever come across a Common Vulnerabilities and Exposures (CVE) ID affecting software you use or maintain and thought the information could be better?

    CVE IDs are a widely-used system for tracking software vulnerabilities. When a vulnerable dependency affects your software, you can create a repository security advisory to alert others. But if you want your insight to reach the most upstream data source possible, you’ll need to contact the CVE Numbering Authority (CNA) that issued the vulnerability’s CVE ID.

    GitHub, as part of a community of over 400 CNAs, can help in cases when GitHub issued the CVE (such as with this community contribution). And with just a few key details, you can identify the right CNA and reach out with the necessary context. This guide shows you how.

    Step 1: Find the CNA that issued the CVE

    Every CVE record contains an entry that includes the name of the CNA that issued the CVE ID. The CNA is responsible for updating the CVE record after its initial publication, so any requests should be directed to them.

    On cve.org, the CNA is listed as the first piece of information under the “Required CVE Record Information” header. The information is also available on the right side of the page.

    A screenshot of the cve.org record for CVE-2023-29012, with a yellow rectangle drawn around the “CNA” field to draw attention to the fact that “GitHub (Maintainer Security Advisories)” is the CNA for CVE-2023-29012.

    On nvd.nist.gov, information about the issuing CNA is available in the “QUICK INFO” box. The issuing CNA is called “Source”.

    A screenshot of the nist.nvd.gov record for CVE-2023-29012, with a yellow rectangle drawn around the “Source” field to draw attention to the fact that “GitHub, Inc.” is the CNA for CVE-2023-29012.

    Step 2: Find the contact information for the CNA

    After identifying the CNA from the CVE record, locate their official contact information to request updates or changes. That information is available on the CNA partners website at https://www.cve.org/PartnerInformation/ListofPartners.

    Search for the CNA’s name in the search bar. Some organizations may have more than one CNA, so make sure that the CVE you want corresponds to the correct CNA.

    A screenshot of the cve.org “List of Partners.” The “Search” bar shows “GitHub,” being searched for, with two results of the search shown under the search bar. Those results are “GitHub, Inc.,” the CNA that matches the CNA responsible for CVE-2023-29012, and “GitHub, Inc. (Products Only),” a different CNA that GitHub also operates.

    The left column, under “Partner,” has the name of the CNA that links to a profile page with its scope and contact information.

    Step 3: Contact the CNA

    Most CNAs have an email address for CVE-related communications. Click the link under “Step 2: Contact” that says Email to find the CNA’s email address.

    A screenshot of the cve.org entry for the CNA “GitHub, Inc.” A yellow rectangle is drawn around a header and a link. The header reads “Step 2: Contact” and shows a link that says “Email” directly below the header.

    The most notable exception to the general preference for email communication among CNAs is the MITRE Corporation, the world’s most prolific CVE Numbering Authority. MITRE uses a webform at https://cveform.mitre.org/ for submitting requests to create, update, dispute, or reject CVEs.

    What to include in your communication to the CNA

    • The CVE ID you want to discuss
    • The information you want to add, remove, or change within the CVE record
    • Why you want to change the information
    • Supporting evidence, usually in the form of a reference link

    Including publicly available reference links is important, as they justify the changes. Examples of reference links include:

    • A publicly available vulnerability report, advisory, or proof-of-concept
    • A fix commit or release notes that describe a patch
    • An issue in the affected repository in which the maintainer discusses the vulnerability in their software with the community
    • A community contribution pull request that suggests a change to the CVE’s corresponding GitHub Security Advisory

    When submitting changes, keep in mind that the CNA isn’t your only audience. Clear context around disclosure decisions and vulnerability details helps the broader developer and security community understand the risks and make informed decisions about mitigation.

    The time it takes for a CNA to respond may vary. Rules 3.2.4.1 and 3.2.4.2 of the CVE CNA rules state:

    “3.2.4.1 Subject to their respective CNA Scope Definitions, CNAs MUST respond in a timely manner to CVE ID assignment requests submitted through the CNA’s public POC.

    3.2.4.2 CNAs SHOULD document their expected response times, including those for the public POC.”

    The CNA rules establish firm timelines for assignment of CVE IDs to vulnerabilities that are already public knowledge. For CVE ID assignment or record publication in particular, section 4.2 and section 4.5 of the CVE CNA rules establish 72 hours as the time limit in which CNAs should issue CVE IDs or publish CVE records for publicly-known vulnerabilities. However, no such guidance exists for changing a CVE record.

    What if the CNA doesn’t respond or disagrees with me?

    If the CNA doesn’t respond or you cannot reach an agreement about the content of the CVE record, the next step is to engage in the dispute process.

    The CVE Program Policy and Procedure for Disputing a CVE Record provides details on how you may go about disputing a CVE record and escalating a dispute. The details of that process are beyond the scope of this post. However, if you end up disputing a CVE record, it’s good to know who the root or top-level root of the CNA is that reviews the dispute.

    When viewing a CNA’s partner page linked from https://www.cve.org/PartnerInformation/ListofPartners, you can find the CNA’s root under the column “Top-Level Root.” For most CNAs, their root is the Top-Level Root, MITRE.

    A screenshot of the cve.org entry for the CNA “GitHub, Inc.” A yellow rectangle is drawn around an entry in a table to draw attention to the two items in the table that are being discussed in the post. The left column contains the category “Top-Level Root,” and the right column contains the entry “MITRE Corporation,” with the text containing a link to a page about the MITRE Corporation.

    Want to improve a CVE record and a CVE record’s corresponding security advisory? Learn more about editing security advisories in the GitHub Advisory Database.

    The post How to request a change to a CVE record appeared first on The GitHub Blog.

    Source: Read More 

    Related Posts

    Leave A Reply