本文详细介绍了如何请求更改Common Vulnerabilities and Exposures (CVE) 记录。首先，确定负责CVE的CNA（CVE Numbering Authority），然后找到其联系方式。文章提供了联系CNA的步骤，包括需要提供的信息，如CVE ID、更改内容、原因和支持证据。此外，文章还讨论了CNA的响应时间，以及在CNA未响应或不同意的情况下，如何通过争议流程解决问题，并提供了相关资源。

🔍 确定CVE编号机构（CNA）：每个CVE记录都标明了负责维护该记录的CNA。在cve.org上，CNA列于“Required CVE Record Information”标题下；在nvd.nist.gov上，CNA信息位于“QUICK INFO”框的“Source”字段。

📧 查找CNA的联系方式：在确定CNA后，通过cve.org/PartnerInformation/ListofPartners找到其联系信息。大多数CNA通过电子邮件进行CVE相关的沟通，但MITRE Corporation使用webform进行请求提交。

✍️ 提交更改请求：在与CNA沟通时，务必包含CVE ID、希望更改的信息、更改原因及支持证据（如公开的漏洞报告、修复提交或发行说明）。

⏱️ 了解响应时间与争议流程：CNA的响应时间可能不同，但CVE CNA规则规定了CVE ID分配的时间限制。如果CNA未响应或无法达成一致，可以通过CVE记录争议流程解决，可以参考CNA的“Top-Level Root”信息。

Ever come across a Common Vulnerabilities and Exposures (CVE) ID affecting software you use or maintain and thought the information could be better?

CVE IDs are a widely-used system for tracking software vulnerabilities. When a vulnerable dependency affects your software, you can create a repository security advisory to alert others. But if you want your insight to reach the most upstream data source possible, you’ll need to contact the CVE Numbering Authority (CNA) that issued the vulnerability’s CVE ID.

GitHub, as part of a community of over 400 CNAs, can help in cases when GitHub issued the CVE (such as with this community contribution). And with just a few key details, you can identify the right CNA and reach out with the necessary context. This guide shows you how.

Step 1: Find the CNA that issued the CVE

Every CVE record contains an entry that includes the name of the CNA that issued the CVE ID. The CNA is responsible for updating the CVE record after its initial publication, so any requests should be directed to them.

On cve.org, the CNA is listed as the first piece of information under the “Required CVE Record Information” header. The information is also available on the right side of the page.

On nvd.nist.gov, information about the issuing CNA is available in the “QUICK INFO” box. The issuing CNA is called “Source”.

Step 2: Find the contact information for the CNA

After identifying the CNA from the CVE record, locate their official contact information to request updates or changes. That information is available on the CNA partners website at https://www.cve.org/PartnerInformation/ListofPartners.

Search for the CNA’s name in the search bar. Some organizations may have more than one CNA, so make sure that the CVE you want corresponds to the correct CNA.

The left column, under “Partner,” has the name of the CNA that links to a profile page with its scope and contact information.

Step 3: Contact the CNA

Most CNAs have an email address for CVE-related communications. Click the link under “Step 2: Contact” that says Email to find the CNA’s email address.

The most notable exception to the general preference for email communication among CNAs is the MITRE Corporation, the world’s most prolific CVE Numbering Authority. MITRE uses a webform at https://cveform.mitre.org/ for submitting requests to create, update, dispute, or reject CVEs.

What to include in your communication to the CNA

The CVE ID you want to discuss The information you want to add, remove, or change within the CVE record Why you want to change the information Supporting evidence, usually in the form of a reference link

Including publicly available reference links is important, as they justify the changes. Examples of reference links include:

A publicly available vulnerability report, advisory, or proof-of-concept A fix commit or release notes that describe a patch An issue in the affected repository in which the maintainer discusses the vulnerability in their software with the community A community contribution pull request that suggests a change to the CVE’s corresponding GitHub Security Advisory

When submitting changes, keep in mind that the CNA isn’t your only audience. Clear context around disclosure decisions and vulnerability details helps the broader developer and security community understand the risks and make informed decisions about mitigation.

The time it takes for a CNA to respond may vary. Rules 3.2.4.1 and 3.2.4.2 of the CVE CNA rules state:

“3.2.4.1 Subject to their respective CNA Scope Definitions, CNAs MUST respond in a timely manner to CVE ID assignment requests submitted through the CNA’s public POC.

3.2.4.2 CNAs SHOULD document their expected response times, including those for the public POC.”

The CNA rules establish firm timelines for assignment of CVE IDs to vulnerabilities that are already public knowledge. For CVE ID assignment or record publication in particular, section 4.2 and section 4.5 of the CVE CNA rules establish 72 hours as the time limit in which CNAs should issue CVE IDs or publish CVE records for publicly-known vulnerabilities. However, no such guidance exists for changing a CVE record.

What if the CNA doesn’t respond or disagrees with me?

If the CNA doesn’t respond or you cannot reach an agreement about the content of the CVE record, the next step is to engage in the dispute process.

The CVE Program Policy and Procedure for Disputing a CVE Record provides details on how you may go about disputing a CVE record and escalating a dispute. The details of that process are beyond the scope of this post. However, if you end up disputing a CVE record, it’s good to know who the root or top-level root of the CNA is that reviews the dispute.

When viewing a CNA’s partner page linked from https://www.cve.org/PartnerInformation/ListofPartners, you can find the CNA’s root under the column “Top-Level Root.” For most CNAs, their root is the Top-Level Root, MITRE.

The post How to request a change to a CVE record appeared first on The GitHub Blog.