Open adam-nygate opened 2 years ago
A maintainer requesting a CVE for the researcher:
https://www.huntr.dev/bounties/6b8acb0c-8b5d-461e-9b46-b1bfb5a8ccdf/
Hm. AFAIK thats what the knowledge of the CNA is for. If the Maintainers don't want a CVE but a serious impact is given, CVEs are assigned even if the project objects unless they're an own CNA. This is the experience I made with mitre. So generally speaking, it doesn't seem that huntr.dev had this case before yet, but if it happens, I don't think huntr.dev could hide behind "the maintainers don't want a cve" - that said, a request by researchers is a valid case.
Blocks #2175 and makes it redundant as the crux of this issue is being able to have a CVE assigned, if one isn't automatically assigned.
This must go via the maintainer as they have to confirm that they want a CVE issued for this vulnerability (if not automatically issued by our system), and so the aforementioned issue turns into a button to make the request, however, this issue describes the need for a maintainer to opt-in, so that the CVE can actually be assigned.