Re: [Full-disclosure] Requesting/Reserving CVE Question

[Marcus Meissner <meissner@xxxxxxx>]

On Thu, Apr 28, 2011 at 06:42:13PM +0300, Henri Salo wrote:
> On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctruncer@xxxxxxxxxxxxxxxxxxxxxx 
> wrote:
> > Hello all,
> > 
> > First off, if this isn't the place to ask this question, I apologize, and
> > feel free to ignore this e-mail.  
> > 
> > I've found a couple vulnerabilities in a web forum/portal/etc. product
> > called IP.Board.  I was looking to reserve a CVE number, and I attempted to
> > contact the address Mitre lists for reserving one, however, it's been
> > nearly a month and I have not received anything back from them.  This is
> > the first vulnerability I have found, and have never requested/reserved a
> > CVE before, so I am a little unfamiliar with the process (although based
> > off of the following website, it looks like all I need to do is send an
> > e-mail to them - http://cve.mitre.org/cve/obtain_id.html).  
> > 
> > I've sent follow up e-mails and I've received no response.  What my
> > question to you all is how long does this process take?  Is there something
> > else that should be done, or someone else the request should be sent to? 
> > What's time normal time frame from requesting a CVE number to hearing back
> > from them?
> > 
> > Thanks for any help/info/advice.  I appreciate it.
> > 
> > Chris
> 
> No luck. With open-source you could have tried:
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security

The oss-security list only handles opensource software, which IP.Board does not 
appear to be.

As for Mitre, just resend the e-mail, they usually answer at some point in time.
(They seem to be overworked, so its not just you.)

A simple e-mail requesting one as explained in obtain_id.html should work.

Ciao, Marcus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/