On Wed, Jan 22, 2025 at 11:17:54AM +0100, Matthias Gerstner wrote: > Hello list, > > I am currently experiencing for the second time that a CVE request > submitted via the Mitre web form [1] is not receiving a response. A > similar topic was already shortly discussed in the past [2]. > > I requested two CVEs on Jan 13. One got assigned within 24 hours, for > the other one I still didn't receive a reply. The same happened to me in > April 2024. Back then, after not receiving a reply for over two weeks, > the CVE has been assigned by Red Hat instead, since Red Hat developers > have been involved in the affected project. > > In this instance upstream is not a CNA and it is also not closely > involved with Red Hat. Replying to the automatic CVE request mail from > Mitre does not seem to reach any human being. I don't know of any other > way to get attention from Mitre for this request. > > I wonder what is the best way to recover from such a situation without > risking duplicate CVE assignments, or not assigning a CVE at all. > > I have a hunch that the issue might have to do with filling out the "PGP > Key" field in the CVE request form, which I did for the one request that > has not been answered, but not for the other, which got assigned right > away.
I can't answer the "what magic do I do to make the web form work" as I never got that thing to work so we had to end up being our own CNA just to handle issues :) But this topic has come up recently in talking with other open source CNA groups. The "real" solution for it is to talk to a different root CNA (i.e. anyone other than MITRE). For open source projects, that _should_ be Red Hat, but I don't know if they yet have a simple way to ask for stuff like this, other than the back-channel you probably used last time. I think RH is working to codify this somehow, but I can't speak for them. Or, better yet, as SUSE is a CNA, why not just assign CVE ids yourself, as part of the "open source projects affected in a SUSE product that are not covered by any other CNA" rules. Doesn't your CNA charter allow you to do this now? Anyway, I just recommend avoiding the MITRE web form as much as possible, as it's a total black box and no one knows what is on the backend or where the information there goes to :( thanks, greg k-h
