Publishing CVEs

This will guide you through the process of identifying, disclosing, and publishing a CVE responsibly.

  1. Identify a New Vulnerability: Research and ensure that the vulnerability you've discovered hasn't been reported. Check if the vulnerability has already been reported in the MITRE Database or other databases such as exploit-db

  2. Responsible Disclosure to Vendor: Contact the product's vendor or owner to report the vulnerability discreetly. Document all communication attempts for proof that you have tried to multiple times to contact the vendor in order to remediate the finding before going public with your research

  3. Work with Cooperative Vendors: If the vendor is responsive, collaborate on a mitigation strategy and agree on a coordinated disclosure timeline.

  4. Handling Non-Responsive Vendors: If there's no response, consider waiting for a period (30 to 90 days) before public disclosure. Meanwhile, apply for a CVE ID from MITRE.

  5. Request CVE ID from MITRE: Submit the vulnerability details to MITRE for a CVE ID by requesting a CVE ID from MITRE via the CVE Submission Form. This process can take time, and the CVE will initially be in a 'RESERVED' state.

  6. Publishing the CVE: Once you've waited the agreed-upon time and have the CVE ID, publish your findings on platforms like PacketStorm Security or CX Security. Include the CVE ID in your publication.

  7. Notify MITRE of Publication: After publishing, inform MITRE with the publication links to update the CVE from 'RESERVED' to 'PUBLISHED'.

Additional References

Trustwave's Guide: "A Simple Guide to Getting CVEs Published" offers a comprehensive step-by-step process. Trustwave Guide

Last updated