How is a !CVE assigned?

A !CVE member will review your request and assign a !CVE number if the issue qualifies.

What qualifies as a !CVE?

Security issues that present an advantage for an attacker to compromise the confidentiality, integrity or availability of a device, system or application. Examples include:

1. A security issue acknowledged by a vendor as technically correct but outside their threat model.
2. An issue that could be considered a vulnerability by MITRE but not by the vendor.
3. A notfied security issue that has not been assigned a CVE after 90 days.
4. A published security issue without an assigned CVE.
5. A denied CVE by the vendor.

What kind of security issues can have a !CVE assigned?

Examples include:

1. A VCC glitching attack bypassing the secure boot mechanism.
2. Getting a non-authenticated root terminal of a device via a physical serial connection.
3. A configuration mistake in sshd that allows non-authenticated users to gain a remote shell in a specific product.
4. A Thunderbolt attack able to successfully perform DMA attacks on a particular device.

Examples that would NOT have a !CVE assigned are:

1. A generic security issue. You need to list one or more devices/software affected with your finding.
2. A man in the middle attack in a LAN against a very early version of WhatsApp where no secure channels were implemented.
3. A software defect that would end up in a buffer overflow in a function that the attacker cannot trigger.
4. A software defect with no impact on security.

Can I request a !CVE without having requested a CVE first?

We do not intend to replicate MITRE's CVE Program, so please, try contacting the vendor first. If you are having issues or not receiving response from the vendor after 90 days then you can request a !CVE.

Why did I find a !CVE with a CVE assigned to it?

A CVE assignation can be refused in the first place, but this decision can be changed later. This could happen due to many reasons such as an incorrect first assessment of the issue, etc.