Can you request a CVE ID for a vulnerability?

Can you request a CVE ID for a vulnerability?

CVE prioritizes the assignment of CVE Identifiers (CVE IDs) for the products, vendors, and product categories listed below, but you may request a CVE ID for any vulnerability. Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the CNAs table below.

How to request a CVE ID from Mitre?

Please use our CVE Request web form to request CVE IDs directly from the MITRE CNA of Last Resort (CNA-LR). Upon completion of the form, you will receive a confirmation email message that includes a reference number.

Who is authorized to assign a CVE ID?

CNA of Last Resort (CNA-LR) – organization authorized to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the scope of another CNA.

What makes a root responsible for a CVE ID?

Top-Level Root – a Root that does not report to another Root, and is thus responsible to the CVE Board. Bug Bounty Programs – assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.

How can I report a new vulnerability to mitre.org such?

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

Who is responsible for the assignment of CVE IDs?

CNA – organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.

What does it mean to be a CVE numbering authority?

Operating under the authority of the CVE Program, “ CVE Numbering Authorities (CNAs) ” are organizations that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed upon scope, for inclusion in first-time public announcements of new vulnerabilities.