Skip to content

CVE Numbering Authority

Points of Contact (POC)

  • Seth Michael Larson
  • Ee Durbin

All Points of Contact are subscribed to the CNA email mailing list.

When updating any of the above Points of Contact, MITRE must be notified prior to making the change. The primary POC must have their phone number on file with MITRE in case a vulnerability is on the "Known Exploited Vulnerability" list and the CVE or advisory isn't published.

CVE Services Organization Accounts

The following accounts are Organization Accounts (OA) for CVE Services. These accounts can manage other CVE Services accounts, reset credentials, and create new users.

  • Ee Durbin
  • Seth Michael Larson

CVE Services accounts must be disabled by an OA when a user no longer needs to manage CVE Services.

Processes

CNAs must act according to the latest version of the CNA Rules. When in doubt, consult the latest version of the rules or ask other CNAs for guidance.

Below are step-by-step guides on how to execute common CNA processes.

Signing in to Vulnogram

  • If you're signed in to a different CVE Services account (like the test portal) then refresh the tab to ensure logging in to a new account works correctly.
  • Go to the hosted Vulnogram instance.
  • Login using your production CVE Services credentials. I
  • Ensure that "Portal: production" appears in the top right of the CVE Portal tab. If it reads "Portal: test" or something else, logout and login with your production CVE Services credentials.

Reserving a CVE ID

CVE IDs should only be reserved for projects in the CNA scope and when the security team for the affected project agrees that the report constitutes a vulnerability.

  • Sign in to Vulnogram.
  • In the CVE Portal tab, select "Reserve One CVE".
  • You'll see "Got CVE-20XX-XXXX" below the "Reserve One CVE" button. This CVE ID is the one that's been reserved. Immediately send this CVE ID where the CVE ID has been requested (ie email thread, Python Security Response Team discussion).
  • Once a CVE ID has been created and shared, it must be explicitly rejected if this CVE ID was created erroneously. Unused CVE IDs should not be stored or reused.

Publishing a CVE Record

CVE Records must be published within 24 hours after (but not before) the advisory is published.

It's possible to do most of the steps below before the advisory is published if the CNA operators are involved in the vulnerability handling process but hold off on publishing the CVE Record, the vendor advisory reference URL, and the "Public at" field until the advisory is published.

Refer to CVE Record Requirements in the CNA Rules for a full list of requirements and recommendations.

  • Sign in to Vulnogram.
  • In the CVE Portal tab, select the "Reserved" filter option for CVE IDs.
  • Find the CVE ID corresponding to the vulnerability you'd like to publish.
  • Click the CVE ID link to open the CVE Record editor.
  • Fill in the following fields:
  • Title
  • Public at (corresponding to the publish date/time of the advisory)
  • Problem Type (Use CWE Database for help finding CWE IDs)
  • Vendor or project (Use Python Software Foundation or Pip maintainers)
  • Product name (Use CPython or pip)
  • Source repository (https://github.com/python/cpython)
  • Versions (double check these are accurate by looking in the "Preview" tab)
  • CVE Description
    • The CVE Description has specific requirements like affected version and the impact.
    • See Prose Description Requirements in the CNA Rules for more information.
  • Credits
    • Credits of type reporter, coordinator, remediation developer, and remediation reviewer are recommended.
    • Reporter may want to remain anonymous, we should respect this request. Other roles are likely public information in GitHub.
  • References with the following tags
    • Link to the advisory on security-announce@python.org archive with tag vendor-advisory
    • Link to GitHub pull request with tag patch
    • Link to GitHub issue with tag issue-tracking
  • If applicable, fill in the following fields:
  • Platforms (if vuln only affects a subset of OSes/architectures/bit depths)
  • Package collection URL (https://pypi.org for pip)
  • Package name (pip)
  • Modules, components, features
  • If no CVSS score has been assigned, ensure that the CVSS score metric section has been explicitly removed from the record. By default, this section is a 10/10 CVSS score.
  • After filling in all fields, check everything looks accurate in the "Preview" tab.
  • After filling in all fields, send the CVE Record JSON to another CNA operator for review:
  • In the "Source" tab of Vulnogram copy the JSON document.
  • Paste the JSON document into the #cna PSF Slack channel and ask for a review.
  • Reviewers can paste the CVE Record JSON into their own Vulnogram instance to review the fields.
  • Once approved, the CVE Record is ready to be published. Select Post to CVE.org at the bottom of the Editor tab to immediately publish the CVE Record.

CVE ID Assignment Requests

We'll receive requests from the cna at python.org mailing list requesting CVE IDs.

If a requester asks for a CVE ID for a vulnerability, forward the request to the corresponding projects' security team by adding the security team's email address and removing the CNA email address (while keeping yourself on the thread).

It is the responsibility of the project security team to make a determination whether a report is a vulnerability. Once the security team has made a determination that the report constitutes a vulnerability, then a CVE ID can be reserved and shared with the reporter.

CVE Dispute and Update Requests

We'll receive requests from the cna at python.org mailing list to update CVE Records or disputing CVE IDs and Records. We must respond to these requests with the following timeline:

  • 3 days to acknowledge the dispute.
  • 5 days after the acknowledgement to make a decision or extend and inform the requester.
  • 15 days after the extension decision to make a final decision or escalate to MITRE, resulting in a new dispute cycle.

When a dispute for a CVE ID or Record is being considered, read the process on correcting CVEs in the CNA Rules. This section contains guidance on rejecting, splitting, merging, and resolving validity of CVE IDs and Records.

Many requests will be to update a given CVE Record, for example to add a reference to a third-party vendor advisory or affected product. Check the validity of these new references and if deemed useful add them as references to the CVE Record.

To update a CVE Record:

  • Sign in to Vulnogram.
  • In the CVE Portal tab, find the CVE ID in question and click the CVE ID link. This should open the CVE Record in the editor tab.
  • Update the fields that must be updated with new values.
  • Inspect the updated fields in the Preview tab.
  • Scroll to the bottom of the Editor tab and select Post to CVE.org to update the CVE Record.

To mark a CVE as disputed:

  • Sign in to Vulnogram.
  • In the CVE Portal tab, find the CVE ID in question and click the CVE ID link. This should open the CVE Record in the editor tab.
  • Add ** DISPUTED ** at the beginning of the CVE Description along with a short note on why the vulnerability is disputed.
  • Inspect the updated fields in the Preview tab.
  • Scroll to the bottom of the Editor tab and select Post to CVE.org to update the CVE Record.

To reject a CVE Record:

  • Sign in to Vulnogram.
  • In the CVE Portal tab, find the CVE ID in question and click the CVE ID link. This should open the CVE Record in the editor tab.
  • Scroll to the bottom of the tab and select Reject this ID to move the record and ID to the "Rejected" state.

Once an action is taken or a decision to not take an action is made, inform the requester of the decision. At this point we're off the clock on this request.