OBB and CVE
Posted: Fri Jun 22, 2018 7:50 am
Dear OBB community,
Recently I found some XSS issues on websites, and I conclude that the problem is the software that currently used. So, I reported it to software developer directly and he created issue trackers on GitHub Page. I informed him that the public disclosure is at least 30 days as stated on OBB. Then, I requested for two CVE-IDs, and published only in hours (first CVE-ID) and next day for second CVE-ID. The developer then asked me why dislosed so soon, only 3 days, not 30 days? He wants to provide enough time for users to update to newer version before disclosed.
I rather dilemma to explain it because OBB and CVE have different policy. OBB will disclose vulnerability maximum on Day 90, or in Day 30 if vulnerability has fixed. On the other hand, CVE will assign CVE-ID and published it soon if any public reference found (in this case is GitHub Page). If no public reference found, it will be reserved first until public reference added. For your information, CVE team is proactively seek for any public reference, even if we do not put any public reference when requesting the CVE-ID.
Anyone here has same or similar situation in the past? And how do you address it?
Recently I found some XSS issues on websites, and I conclude that the problem is the software that currently used. So, I reported it to software developer directly and he created issue trackers on GitHub Page. I informed him that the public disclosure is at least 30 days as stated on OBB. Then, I requested for two CVE-IDs, and published only in hours (first CVE-ID) and next day for second CVE-ID. The developer then asked me why dislosed so soon, only 3 days, not 30 days? He wants to provide enough time for users to update to newer version before disclosed.
I rather dilemma to explain it because OBB and CVE have different policy. OBB will disclose vulnerability maximum on Day 90, or in Day 30 if vulnerability has fixed. On the other hand, CVE will assign CVE-ID and published it soon if any public reference found (in this case is GitHub Page). If no public reference found, it will be reserved first until public reference added. For your information, CVE team is proactively seek for any public reference, even if we do not put any public reference when requesting the CVE-ID.
Anyone here has same or similar situation in the past? And how do you address it?