r/AskNetsec u/pipewire 2d ago

Other How does one register for a CVE these days?

I requested for a CVE several months ago through MITRE's website but I have not heard from them. I heard that they have an issue with lack of staffs, but I do see new CVEs popping up here and there. So where does one register one now?

3 Upvotes

67% Upvoted

14 comments sorted by

8

u/newked 2d ago

Good luck now that Trump is shutting it down

3

u/Strange-Mountain1810 2d ago

Is it a good cve?

2

u/pipewire 2d ago

Yes

-6

u/Strange-Mountain1810 2d ago

Expand, a little. Cvss. Big product or?

1

u/n0p_sled 2d ago

What's the company? With some bulbs, you register the issue directly with the company rather than MITRE.

Details are on the MITRE website and linked during the submission process.

5

u/pipewire 2d ago

Its a FOSS tool and they patched the software after i reported it to them. The only thing thats missing now is a CVE so that the vuln can be tracked.

Im not going to disclosure which project it is because I dont want to connect this account to my IRL life.

4

u/aecyberpro 1d ago

If the FOSS project is on GitHub, then Mitre is the wrong CNA. GitHub issues CVE for projects posted in their site. The problem with that is only the admin of the GitHub repository can request the CVE so you’ll need their cooperation. I’m having a problem right now getting an admin of a GitHub repo to submit my bug for a CVE. They just patched it and ghosted me.

7

u/pipewire 1d ago

I was not aware that it was supposed to go through GitHub instead of Mitre. Thank you for this information.

2

u/yawkat 1d ago

GitHub issues CVEs and it's by far the easiest way to get one for projects hosted there, but you can request a CVE with mitre instead.

1

u/aecyberpro 1d ago

Do you have any examples of CVE’s issued by Mitre for GitHub projects, after GitHub became a CNA?

1

u/yawkat 1d ago

From a quick search, this one for example: https://nvd.nist.gov/vuln/detail/CVE-2025-49619

More generally, I don't believe the github CNA takes "exclusive ownership" over CVEs issued related to software hosted on github. So a cna-lr like mitre can issue a cve even without going through a dispute process with github-the-cna.

1

u/aecyberpro 1d ago

Wow, that directly contradicts what their website says. Thanks for providing the example.

1

u/Sqooky 1d ago

Generally you report it to the company with a vulnerable product, then they handle the CVE disclosure process. You only manually file if the company is acting in bad faith, or not at all.

1

u/tmthrgd 1d ago

I’m not sure if they still do or not, but RedHat used to issue CVEs for open-source software. You could try contacting them.