Add a guide for submitting CVE requests#86
Add a guide for submitting CVE requests#86timlegge wants to merge 1 commit intoCPAN-Security:mainfrom
Conversation
docs/cve-creation-guide.md
Outdated
|
|
||
| # Creating a CVE Request | ||
|
|
||
| This is an example of how to create a CVE with an older vulnerability from Mojolicious that did not have one previously assigned. |
There was a problem hiding this comment.
Should we use a general example like Foobar or something like that, rather than Mojolicious?
There was a problem hiding this comment.
I can change it it an example but likely should be generic
There was a problem hiding this comment.
@stigtsp the thing I like about using this example is that it exists and you can review the source info
There was a problem hiding this comment.
@stigtsp I looked at it but the example is likely best. The point was to give an example that someone could follow
There was a problem hiding this comment.
Should we use a general example like
Foobaror something like that, rather than Mojolicious?
Then please use Foo::Bar or Foo-Bar to make the distinction clear in what to use
There was a problem hiding this comment.
I use Foo-Bar in the security policy guide.
docs/cve-creation-guide.md
Outdated
| You can provide additional information that you may have if it is relevant. | ||
|
|
||
| Some possible additional information: | ||
| 1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention it here |
There was a problem hiding this comment.
Also, maybe worth mentioning that a vuln that has been discussed in public is by default public and not embargoed.
So References should not be given for anything embargoed
timlegge
force-pushed
the
cve
branch
2 times, most recently
from
6209ce7 to
8d99138
Compare
|
Can we have this branch updated and see what's left before merging? :-) |
|
Where we are here? |
|
Since we've become CNA, this description has likely become a bit outdated. We are going to work on the CVE workflow at PTS, maybe this is a good time to discuss how to document this and make it more accessible. |
timlegge
changed the title
|
I shortened this substantially now that we have a CNA |
robrwo
left a comment
robrwo
left a comment
There was a problem hiding this comment.
Looks alright. Some minor nits about wording.
| Send an email to cve-request@security.metacpan.org | ||
|
|
||
| # Reserving a CVE Identifier | ||
| If you have found a potential vulnerability in the scope of the CNA you can |
There was a problem hiding this comment.
You should define what the scope of the CNA is.
| before a CVE identifier will be issued. However, a CPAN author or Perl | ||
| Security may **reserve** a CVE number without providing details. The CVE | ||
| identifier will be reserved and the requester will be recorded. | ||
|
|
There was a problem hiding this comment.
I would reword this to improve clarity
The Perl Security Team may reserve CVE identifiers, as may CPAN authors for the modules that they maintain. All others may be asked to provide the details of the vulnerability before a CVE identifier will be issued.
The CVE identifier will be reserved and the requester will be recorded.
6 participants
No description provided.