Get best of the week

Getting CVE ID

After the publication of our article “CSRF in Umbraco CMS”, we received several messages with questions regarding the process of obtaining CVE. This article discusses what to do when a vendor refuses to assign a CVE index to a vulnerability found in its product.

Work with discovered vulnerabilities is carried out in three main stages:

  1. Vendor Notification
  2. Confirmation and correction of a found vulnerability
  3. Public Disclosure

After finding a vulnerability in the product, you need to make a detailed report for the vendor and find contacts for contact. If the vendor has contacts on product security issues and public encryption keys, then you can immediately send a letter that will contain an encrypted report. This is the best option for the researcher. However, this is not always the case. Therefore, if there are no separate security contacts (and encryption keys), you have to start correspondence through any common addresses. The first letter should inform about the identification of vulnerabilities, request the contacts of those responsible for security and information on how to send the report in a protected form. However, sometimes representatives of the vendor may ask to send a report without any encryption.
Each letter should indicate the deadline, after which there will be a public disclosure of information about the vulnerability (no more than 4 months from the date of the first contact).

This will allow you to publish it even if the vendor does not respond to letters (immediately or after some time).

Public disclosure in each case can be done in different ways: it all depends on the criticality and magnitude of the vulnerability found. But this is beyond the scope of this article.

The report contains the following sections:

  • Title (name of vulnerability)
  • The product in which the vulnerability was discovered
  • Version (or versions) of vulnerable products
  • CVSS threat rating (and / or just low to critical)
  • Discovery date
  • Vulnerability Description
  • Operation Example (Proof of Concept)
  • Recommendations for correction

Most often, the vendor makes contact and after a while reports the deadlines for fixing the vulnerability. Jointly determined and the date of public disclosure, which may differ from the previously indicated deadline. Sometimes you can publish information earlier, but in most cases, the vendor asks for more time.

It is at this point that you need to get the CVE identifier in order to add it to the publication.

Consider the process in more detail.
The identifier in theory should be assigned by the developer of the vulnerable product. But this does not always happen. In such cases, the researcher will be able to obtain CVE on their own. To do this, you need to go to the site and find the following form there:



In the request type, select "Request a CVE ID" and fill in all the fields.

MITER has an excellent FAQ that will help with filling out the form.

After filling in the specified email address comes an automatic response that contains the request number. It can and should be used in further communication:



After a day, the CVE identifier can be obtained:



Victory! Vulnerability information can be published with all relevant details, including a CVE identifier.

Ask questions and share your experiences in the comments and in our Facebook group !

More articles:


All Articles