Weak Submission
Some vulnerabilities are considered weak because they might be old, affect an unpopular product or use a rather simple attack technique. We do not think that such weak submission shall be ignored as they pose a true risk which must be known to handle.
Incentive for Submissions
We allow our community users to submit new entries very easily via a submission form. Because we add some incentive called community points we have community users and customers which look for new issues and submit them. Many of them submit their old findings or review code repositories for potential submissions.
Since the introduction of the CVE JSON 5.0 format submitters and analysis are listed as analyst in the credits if they chose to make their activities public on our web site (there is also a private mode available which prevents this attribution). This motivates many to invest their time in finding and disclosing vulnerabilities.
Review of All Submissions
Our moderation team is reviewing all submissions manually. Even though the CVE program is claim-based only we review code (exploits + patches) whenever available to keep dispute and false-positive rate as low as possible. Since December 2022 this processing is supported by an inhouse code analysis tool to handle the enormous amount of new issues that we have to process.
There is no automated submission acceptance process used as this would contradict the quality expectations of our service. If our code analysis tool was involved, the CVE JSON 5.0 file will mention such as tool
in the credits. But this does not mean that the entry was processed automatically.
If we receive a submission and it does not contradict with our submission policy nor the CNA Rules (which are not exactly the same), then we assign a CVE. We assume that if we do not handle these, they might get submitted to another generic CNA or MITRE in the end.
Old Submissions
Documenting vulnerabilities is the task of the defensive community to provide a reliable source for information (descriptions, links, statistical data). The age of a vulnerability or disclosure does not matter for us.
MITRE is responsible for the CVE program and eager to add entries independently of their age as well:
- CVE-2015-5467 was assigned by MITRE on 2023-09-21 and affects a vulnerability that was disclosed 8 years prior
- CVE-2015-8371 was assigned by MITRE on 2023-09-21 and affects a vulnerability that was dislocsed 7 years prior
- CVE-1999-0199 was assigned by MITRE on 2020-10-06 and affects a vulnerability that was disclosed 21 years prior
Tainted Vulnerability Stream
Some people consider weak submissions a pollution for a vulnerability stream. It shall not be the task of a CNA to be gatekeeper regarding quality and weak CVEs. It is sad enough that vendor CNAs do this for their own products for dubious reasons. It is the task of the consumer of a vulnerability stream to filter products and vulnerabilities which may be discarded based on their individual assessment. This is also the reason why we have a very limited revoke policy.
Aktualisierung: 20.05.2024 von VulDB Documentation Team