The CVE, short for common vulnerabilities and exposures, is a directory of publicly disclosed cybersecurity vulnerabilities that you can freely search, use, and incorporate into products and services. Each vulnerability is referenced by a CVE ID to easily identify them. You can request to have CVE IDs associated with your program’s vulnerabilities, through which a CVE Assignment Authority (CNA) will then assign you a valid CVE ID and help you disclose the vulnerability.
As HackerOne is 1 of 90 CNAs empowered to assign and work with customers in assisting them to disclose vulnerabilities, you can request to have CVE IDs associated with your program’s vulnerabilities through the HackerOne platform. Upon request, HackerOne will approve and assign a CVE ID for your vulnerability and then send the ID to MITRE to publish publicly. The entire process takes about 7 business days after request.
To request a CVE ID:
- Go to Settings > Customization > Request CVE ID.
- Click Request a CVE ID.
- Fill out these fields:
|Report ID||(Optional) The ID number of the report.|
|Vulnerability Date||The date the vulnerability was found.|
|Weaknesses||The type of the potential issue. Learn more about weaknesses here .|
|Product||The name of the product the vulnerability is found in.|
|Product Version||The affected version of the product and the fixed version.|
|Description||A public description of the vulnerability.|
|References||Links to where the advisory report, security report, or other information about the vulnerability can be found.|
- Click Submit for approval.
The CVE ID Summary section on the Request CVE ID homepage will list out the status of all of your requests. Your CVE ID request can have the following statuses:
|Needs action||There are errors within the form that you need to fix or additional information is needed. Click edit to fix your form.|
|Pending H1 approval||HackerOne is in the process of approving your request.|
|HackerOne approved||HackerOne has approved your request and the request will be sent to MITRE for processing.|
|Pending MITRE approval||MITRE is in the process of publishing your ID.|
|Published||A CVE ID has been successfully assigned and the ID and vulnerability are published.|
You can modify and view the descriptions of your vulnerability by selecting Edit or View within the CVE ID Summary section.
Note: To opt-in to this feature, talk to your program manager.