If you don't already have a CVE identification number for the security vulnerability in your project, you can request a CVE identification number from {% data variables.product.prodname_dotcom %}. {% data variables.product.prodname_dotcom %} usually reviews the request within 72 hours. Requesting a CVE identification number doesn't make your security advisory public. If your security advisory is eligible for a CVE, {% data variables.product.prodname_dotcom %} will reserve a CVE identification number for your advisory. We'll then publish the CVE details after you publish the security advisory.
If you already have a CVE you want to use, for example, if you use a CNA other than {% data variables.product.prodname_dotcom %}, add it to the security advisory form. This may happen, for example, if you want to get the advisory consistent with other communications you plan to send out at publication time.
If an advisory form doesn't have a CVE, we will request a CVE for you when you publish the advisory.