Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do CVEs get issued? Where do I apply, who makes decisions, and what software is covered by them?

I know these questions are technically answered out there on the internet. But I looked into it a couple of years ago after finding a horrible bug in a popular npm package and the answers weren't clear to me.

Can a CVE be issued in retrospect?



> How do CVEs get issued? Where do I apply, who makes decisions

For most (but certainly not all) projects, you fill out a simple form [0]. I've done it before and it's fairly easy.

> and what software is covered by them?

All software is covered by someone, usually by the vendor themselves or MITRE.

> Can a CVE be issued in retrospect?

Absolutely, but it's fairly uncommon.

[0]: https://cveform.mitre.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: