CVE demystified

As a security researcher, as a beginner, you may see the fact of having your own CVE as the Graal.

What are CVEs ? Who can request them ? Is it possible to get your own ? Where to search ? What products ?

Let’s demystify the legend.

About CVEs

There can be many reason to have your own CVE: learn the process, show off on Twitter, put it on your resume so recruiters will be impressed without exactly knowing what it means or whatever… No judgement :) Some will consider that stupid, some will take it as a recognition, anyway, I think it’s interesting to give it a try as soon as you step in the security industry so you can understand how it works and what it really means.

The Common Vulnerabilities and Exposures is a listing of public informations about security vulnerabilities. It’s mainain by The Mitre Corporation, supported by the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

If you take a look at the details of the Shellsock CVE, you’ll see the following informations:

CVE-ID: the identifier looks like this: CVE-YYYY-XXXX where YYYY is the year it’s been assigned and XXXX an incremental number.

Description: a short description of the issue itself.

References: a list of URLs: articles, public announcement, exploits…

Assigning CNA: The CVE Numbering Authorities who assigned the CVE-ID to the issue.

Date Record Created: The date the entry was created.

Phase, Votes, Comments and Proposed are obsolete fields.

cve informations

Find bugs

You can easily find a candidate product according your ambition. You should consider that it might be harder to find an issue in the core of a product like GitLab than a Wordpress plugin having 100 downloads, created 5 years ago and not maintain anymore.

You can check what is the last fashion in the sec world by downloading the CVEs database or follow CVEnew on Twitter which is a nice way to stay up to date.

A good option is to perform a CVE search regarding your skills or check projects on directories like which is an AMAZING source of potential CVEs (strongly recommended for low hanging CVEs).

cve search

Once you find a project that fit your requirements, it’s important to check the existing CVEs for this product. It will give you a good idea of how popular it is, how secure it is, what kind of issue you can expect.
Too many results means that there is a lot of bugs and probably many people already working on it, no result means it’s very secure or no one checked it for now…

Finally download the choosen project and give it a try! If you’re a beginner in code audit, take look at this old article I wrote about Wordpress testing, you’ll find some quick but useful regexps.

Request process

Note that everyone can Report Vulnerability/Request CVE ID.

First of all I recommend to read the official guide that provide all details needed regarding the request process which is pretty straight forward.

Once you find an issue, you should absolutely check if it has been reported before. You cannot report the same issue twice, it will be rejected. So once again take some time to check the existing CVEs for the chosen project.

If your issue seems to be undeclared, you can contact the vendor with all details:

  • name of the project
  • vulnerable url/parameter
  • how to reproduce the bug
  • screenshot/video
  • exploit

You’re supposed to give the author some time to fix the shit and release a new version.

The next step is to fill the form with the form there:
Select the option “Report Vulnerability/Request CVE ID” and fill all necessary informations.
Feel fee to search for the same type of issue to help for the description.

Once submitted, you’ll get an email confirm ing your request has been received, it looks like this: cve request confirmation

If accepted you’ll later get another email with your CVE-ID and a recap of all the informations about it.

Finally you can publish an article and send the URL to mitre by replying this email OR go back to the request form and select “Notify CVE about a publication”. Your CVE references will be updated.

And that’s it, nothing much!

Note that the whole process can take some time depending the popularity of the project you have chosen, how critical is your bug and how busy the peoples behind this process are.