Replies: 1 comment
-
hello @ay-kay! 👋 I'm the manager of the GitHub open source CNA team within the Lab and can provide guidance for you. As a CNA, we only assign CVE IDs to code owners when they request them from us as part of disclosing using a GitHub repository security advisory. We don't require a CVE ID for a repo or global GHSA, nor do we automatically assign a CVE ID to all repo GHSAs. The primary reasons for this are:
Given that the maintainer has been unresponsive in this case, it unfortunately seems unlikely that you'll be able to have them create a repository GitHub Security Advisory to then request a CVE ID from my team. I saw in the huntr thread that MITRE had previously rejected your request due to scope overlap with huntr. I suspect that the feedback you received about scope overlap may not be quite right, given that huntr made a public statement saying that they will not assign, but CNAs of Last Resort like MITRE should be able to. I'd encourage you to make another request to MITRE, explicitly denote that the CNA whose scope covers this project has elected not to assign and will allow another CNA to, and feel free to include this discussion as a reference. I'll also take the action to personally flag this discussion to the MITRE CVE team for review to get you some more support! |
Beta Was this translation helpful? Give feedback.
-
Hello,
I recently reported a vulnerability (Huntr Bounty Link) which has been fixed by the maintainer and is now listed in the GitHub Advisory Database. However, I noticed that no CVE ID has been assigned to it yet.
Could you please provide guidance on the process to have a CVE ID assigned to this advisory? Is there any additional information or action needed from my side?
Thank you for your assistance!
Beta Was this translation helpful? Give feedback.
All reactions