Open Bug Bounty Community Forum

Dear OBB community,

Recently I found some XSS issues on websites, and I conclude that the problem is the software that currently used. So, I reported it to software developer directly and he created issue trackers on GitHub Page. I informed him that the public disclosure is at least 30 days as stated on OBB. Then, I requested for two CVE-IDs, and published only in hours (first CVE-ID) and next day for second CVE-ID. The developer then asked me why dislosed so soon, only 3 days, not 30 days? He wants to provide enough time for users to update to newer version before disclosed.

I rather dilemma to explain it because OBB and CVE have different policy. OBB will disclose vulnerability maximum on Day 90, or in Day 30 if vulnerability has fixed. On the other hand, CVE will assign CVE-ID and published it soon if any public reference found (in this case is GitHub Page). If no public reference found, it will be reserved first until public reference added. For your information, CVE team is proactively seek for any public reference, even if we do not put any public reference when requesting the CVE-ID.

Anyone here has same or similar situation in the past? And how do you address it?

sorry, i did not completely understand was it disclosed after three days by CVE or by OBB?

Three days by CVE (no POC included). And for additional information, the vulnerability has already fixed before disclosed by CVE.

hmm... okay so when CVE discloses it and it's already fixed wheres the problem?

As I mentioned before, the developer wants to provide enough time for users to update to newer version before disclosed, event the vulnerability has fixed. And 3 days are too short because I "promised" him to disclose at least 30 days.

I think the case has solved because there are official announcements on the forum. And posts on GitHub I think cannot be considered "official" for this case.

Lessons learned (in case by case basis):

• For manual installed software: Wait until at least 30 days to request CVE-ID. This period provides developer to fix the issue and publish official announcement and provides users to update to newer version.

• For hosted software: It does not matter to request CVE-ID as soon as possible if there is an official announcement. It would be better if the issue has already fixed.