Secondary Categories: 02 - Reporting Links: Search Tag:📖

Getting a CVE

Check the MITRE Database, Goolge, Github, etc. if the exploit already exist
Contact the vendor/product owner and disclose the issue.
- If the vendor has a bug bounty program then there may be some issues disclosing the issue
Take a LOT of screen shots
Archive/Save emails and documents all communication attempts
[ ]

If a vendor ghost you which is typically the case… Then here is what you need to do…

Disclosure is a gray area there are no defined rules, but most people wai 30 , 60, 09, or even 120 days after notifying the vendor before disclosing. Although this is for a case by case.

If you dont see the vendor on the CNA list, fill out: https://cveform.mitre.org/… It usually takes up to 30 days on average for MITRE to get back to you. Once you get a CVE ID then MITRE will notify you by email. Typically the CVE is marked in a reserved state. This means that the CVE has been accepted by MITRE, but has not been published yet

While you wait for the CVE to be published its typically good to continue to attempt to try to contact the vendor at least every 30 days. Once you have waited for however long you have decide then it time tp publish.

Publish Exposure

Publish exploit to PacketStorm Security/CX Security. A good format for the header is what Exploit-DB shows here: https://www.exploit-db.com/submit
Once the exploit has been published, send the links to MITRE by replying to the email they sent you with the link to the published POC/Exploit
MITRE typically has a quick turn around for this (1 day or so)
DONE!!! Congrats on the published CVE
OPTIONAL: You can now try to send you exploit/POC to exploit-db. They typicall ywont respond with an update…

Resources:

Title	URL
# A Simple Guide to Getting CVE’s	https://hyd3.home.blog/2020/10/02/a-simple-guide-to-getting-cves
MITRE PDF for how to get CVE	https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

Created Date: June 26th 2022 13:29
Last Modified Date: June 26th 2022 13:29