[bkor]

CVE is an invite only system, applied to just a few projects. See e.g. https://cve.mitre.org/cve/data_sources_product_coverage.html. Generally you need to know someone to get such an id.

If you have a bug in some github project you cannot request a CVE for that. If a CVE is reported you'd usually include that in the commit. But that's not the same as every security bug should have a CVE. Often way easier to just fix bugs instead of figuring out if it is a security bug (=method Linus uses).

[berdario]

I don't know any insider, but obtaining a CVE was not really difficult:

http://seclists.org/oss-sec/2016/q3/231

(and it was not even my project... I just reported the bug)

Now the workflow changed a bit, in the link that you shared in fact it says "For open source software products not listed below, request a CVE ID through the Distributed Weakness Filing Project CNA." which is just an easy-to-fill Google form. Not such a close system as you seem to imply

(OTOH, obviously CVE cannot guarantee or pretend to have universal coverage of every security issue ever existed)

I generally like systemd, but it's irresponsible to not publicly communicate about such an issue if you're aware that it's actually a security issue

fix bugs before investigating, that's ok... but not communicating it means that you'll leave users downstream exposed to it, since it won't prompt maintainers to ship the patch/upgrade

[bkor]

If you go to https://cve.mitre.org/ it has a link "Request a CVE ID" which IMO explains that it is only for some products, not all. Alternatively there's also a weblink below it which want GPG key, etc. Alternatively you can email some mailing list, but I don't see where this is documented.

The complaint was that the CVE should've 1) been included in the commit 2) been made. IMO the entire thing is confusing.

Also like to repeat: it's super nice that things are reported and have a CVE. But that doesn't mean every security commit will be seen as related to security.

I'm pretty sure I've seen enough interesting commits in gdk-pixbuf: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=49dcd2d58...

[jwilk]

I don't believe the workflow has changed. CVE for public security issues in free software should be requested on oss-security.

And even if you don't care about the CVE business, posting to oss-sec about your bugs is the right thing to do.

[justinclift]

There seems to be a pretty major backlog for getting CVE numbers, such that for not-hugely-impacting ones it seems like the CVE request people won't take any time to discuss things.

Saying that after trying to get a CVE for a low risk problem with CMake on Windows. Applied for a CVE (months ago), and the only response received was:

  Please resend your CVE request properly (the description was not filled out properly) and
  resubmit. The correct format is:

  [Vendor name] [product name] version [version info] is vulnerable to a [single flaw type]
  in the [component] resulting [some impact].

Which is strange. I looked over the original submission, and there's nothing that I'd change in it. Emailed the person back asking for clarification and received zero reply.

If it was a high risk bug, I'd probably take the time to follow up more. Since it's not though... ;D

[kseifried]

That is not true anymore. You can get a CVE from MITRE for anything (they are the ultimate root authority), and for the Open Source world you can get a CVE from the DWF (https://distributedweaknessfiling.org ), something that is currently slow because we're working on automating a lot of it and stream lining the process (I'll be giving a talk on this at RSA: Saving CVE with OpenSource: https://www.rsaconference.com/events/us17/agenda/sessions/56... ).

My goal long term is to have CVE requests take <5 minutes for the requestor and <1 minute for the assigner to process. We need to scale this out and simplify it vastly. People need to be aware of security flaws so they can be dealt with, and CVE is the best option for this we have currently.

[geofft]

You need to be an invited project to be able to allocate CVEs out of a block, but you can absolutely request CVEs from one of the participating projects (including MITRE themselves) as a random person. See https://cve.mitre.org/cve/request_id.html . Contacting one of the large OSS product security teams like Red Hat's is also a fine option.

[feld]

Yes you can. You report it on oss-security mailing list and request a CVE and one will be assigned to you.

[schu]

The CVE-HOWTO by RedHat is a good resource to find out about the process:

https://github.com/RedHatProductSecurity/CVE-HOWTO