-
Only members of the CVE Automation Working Group should create pull requests or open issues in this repository currently. Going forward, we hope to allow progressively wider participation; eg, from CNAs generally and then security researchers and other cybersecurity community members. Until then, others who wish to contribute should use the CVE Request web form.
-
Only submit information that is intended to become public immediately. There is no support for embargoed submissions!!
-
Understand that this is only a pilot - it could be changed significantly or even halted.
-
Submissions should be made subject to the CVE Submissions License Terms of Use.
-
It is strongly recommended that submissions use signed commits.
-
If you haven't done so already, fork the cvelist repository.
-
Ensure your fork is up to date.
-
Create a new branch. We recommend grouping related updates into a single submission and using a separate branch for each submission. For example, one CNA may choose to have a single submission for each monthly patch bundle, while another may opt for a daily submission.
-
Make changes to one or more files. NB: limit your changes to only those portions of the JSON that need to be updated rather than naively overwriting the entire file.
-
Create a pull request to merge the changes in your new branch into the cvelist master.
After a pull request has been submitted, the CVE Team will review the submission and work with you to resolve issues. Then the CVE Team will merge the updated files into the "master" branch and use the supplied information to update the associated entries in the CVE List itself.
Direct questions, comments, or concerns about use of this repo to the CVE Team using the CVE Request web form.