|
| 1 | +# CVE Submission Guide |
| 2 | +This is a guide to submitting a CVE request to the CPAN Security CNA (CVE |
| 3 | +Numbering Authority). |
| 4 | + |
| 5 | +# Contacting the CNA |
| 6 | +Send an email to cve-request@security.metacpan.org |
| 7 | + |
| 8 | +# Reserving a CVE Identifier |
| 9 | +If you have found a potential vulnerability in the scope of the CNA you can |
| 10 | +request a CVE identifier. |
| 11 | + |
| 12 | +In most cases you will be asked to provide the details of the vulnerability |
| 13 | +before a CVE identifier will be issued. However, a CPAN author or Perl |
| 14 | +Security may **reserve** a CVE number without providing details. The CVE |
| 15 | +identifier will be reserved and the requester will be recorded. |
| 16 | + |
| 17 | +# Publishing a CVE |
| 18 | +A previously reserved CVE identifier or a new CVE may be published. To publish |
| 19 | +a CVE the CNA requires the following minimal information: |
| 20 | + |
| 21 | +1. The name of software that contains the vulnerability |
| 22 | +2. The version or versions impacted |
| 23 | +3. Description of the issue |
| 24 | + |
| 25 | +Optionally you can also provide: |
| 26 | + |
| 27 | +1. URLs that provide references or show the affected code |
| 28 | +2. Potential mitigations of fixes |
| 29 | +3. A JSON file generated by [Vulnogram](https://vulnogram.github.io/) |
| 30 | + |
| 31 | +# Research the CVE database to ensure it has not been logged previously |
| 32 | + |
| 33 | +Ensuring that the issue has not been previously logged is very important. |
| 34 | +Duplicate entries will merely serve to confuse the issue and polute the CVE |
| 35 | +database. |
| 36 | + |
| 37 | +1. Access [Mitre.org CVE Search](https://cve.mitre.org/cve/search_cve_list.html) |
| 38 | +1. Search for various keywords including but not limited to the distribution or |
| 39 | +module name and any applicable words. |
| 40 | +1. Review the results |
| 41 | +1. If the CVE appears to be previously submmitted you can ask the CNA to decide |
| 42 | +whether it is the same issue. |
| 43 | + |
| 44 | +# Example data to provide |
| 45 | + |
| 46 | +This is an example of information to submit for a CVE with the Foo::Bar |
| 47 | +distribution. |
| 48 | + |
| 49 | +* Name of the software |
| 50 | + |
| 51 | + Foo-Bar CPAN distribution |
| 52 | + |
| 53 | +* Impacted versions |
| 54 | + Affected range: <0.99 |
| 55 | + |
| 56 | +* Description |
| 57 | + Foo::Bar uses the rand() function for cryptographic purposes. |
| 58 | + |
| 59 | +* URL refenrencs: |
| 60 | + https://example.com/foo_bar/vulnerability.html |
| 61 | + |
| 62 | +* Mitigations |
| 63 | + Upgrade to 1.00 or higher |
| 64 | + |
| 65 | +* Discoverer |
| 66 | + If you want to be credited (on more importantly do not want to be publicly |
| 67 | + credited) please indicate that. |
| 68 | + |
| 69 | +Informtation can be included in an email to cve-request@security.metacpan.org |
0 commit comments