I recently created a post about my frustrations around reporting security findings to companies, and how I plan to move forward with Bug Bounties instead. However having said that, if I do come across a finding I will most certainly still try report it responsibly (it's just that I will now check if the company has a Bug Bounty first).
I will inevitably face companies who do not give any feedback, etc. Recently I saw a post on Twitter about a new researcher who faced similar issues. One of my responses was to ensure that you create a CVE for a finding.
CVE (Common Vulnerabilities and Exposures) is a list of know vulnerabilities which have an associated ID, which can then be used to identify the issue as well as provide a list of the issues which systems and people can interact with. This allows for easier management, access and distribution of known security vulnerabilities. Each CVE is requested through a CVE Numbering Authority (CNA). Their role is to generate a CVE identifier for reported vulnerabilities, for systems and products under their remit (such as Apple, or Apache Software Foundation). Mitre is the central controlling authority of the CVE ecosystem.
So as I mentioned about CVE's help to associate an identity a vulnerability as well as provide a means to allow others to access information associated with the vulnerability. In addition there are services out the which allow onw to look up vulnerabilities either based on the product/service or the identifier itself:
Opening a CVE against a finding is useful since:
- It helps make the finding public
- Allows the finding to end in numerous vulnerability databases such as NVD
- Provides a consistent form to reporting security issues
- Provides the finding party with the credit of the finding. This is where it helps researchers, since it has their name attached to the CVE. Thus they can claim credit for the finding and for instance put in on their personal blogs or corporate websites.
Creating a CVE
Creating a CVE has been greatly improved over the past few years. To create a CVE follow these steps:
- Draft up your finding to include details such as
- Title of the finding
- Summary of the finding
- Details of the finding
- Associated CVSS rating
- Check the product/service against the list of CNA's. If the service/product belongs to a listed CNA use their mechanism of reporting the finding to obtain a CVE. If the product/service does not have an associate CNA, use the Mitre request form.
- This should place the CVE in "draft" form. Meaning that it will not be publically released, etc.
- Work with the affected organization to resolve the issue (within an appropriate time period).
- Update and finalize any documentation as well as web pages which contain details about the finding.
- Inform the appropriate CNA your desire to publish and disclose the finding. This will make the CVE public and will be released publicly.
Again I need to stress the importance of following a responsible disclosure process. Ensure that you try your best to work with the affected organization before releasing or finalizing any information relating to the finding. This is not always possible, but the important part is you give the organization the opportunity and suitable time to resolve the issue before it becomes public.