Gaining a CVE identifier when the software vendor does not provide one

Discussion in 'other software & services' started by grahamperrin, Jun 5, 2016.

  1. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
    Please, does anyone have experience in this area?

    Background

    A few years ago with CVE-2009-0014 things went smoothly for me. Apple fixed the vulnerability, and gave credit.

    For more recent problems, first reported to Apple in February 2012, I have not yet received an identifier. In fairness to Apple: my early reports may have lacked what was required to make the problem easily reproducible; to have the security implications realised by other people. In the three years that followed I did little to actively pursue the problem.

    In November 2015 I wrote to Apple Product Security requesting a CVE identifier, with reference to my 2012 report. Apple Product Security found no security implication.

    At the end of May 2016 I took a little time to make the problem easily and consistently reproducible. With those steps to reproduce, again I requested a CVE identifier but unless I'm missing something: Apple has not responded.

    Re CVE - Request a CVE Identifier, as the software vendor – an officially recognized CVE Numbering Authority (CNA) – has not provided an identifier, should I now proceed with the alternative method?

    If you're familiar with that alternative method:
    • please, what might I expect?

    Optimistically

    For my most recent e-mail to Apple I carbon copied the address @mitre.org, so it's possible that the two organisations are liaising, privately, before one or both will respond to me.

    If I don't gain a CVE identifier within the next few days

    All things considered, I may proceed to limited disclosure … then public disclosure on Saturday 18th June.

    Thoughts?

    Has anyone here communicated with Apple Public Relations about security vulnerabilities? ​

    For Apple UK and Ireland Public Relations I see an e-mail address and London telephone number in a 2010 press release, https://www.apple.com/uk/pr/library/2010/04/14Apple-Media-Advisory.html

    Thanks
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
  3. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
  4. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
    Still no response from Apple Product Security (follow up 631737871).

    Tweets were addressed to The Mitre Corporation and to Apple Support, neither gained a response.

    Apple Media Helpline +44-20-8278-1440 – this morning, option 3 rang without an answer for more than fifteen minutes (10:34–10:50) so I hung up. I then e-mailed the media.uk@ address so someone there might become aware, this afternoon or tomorrow, of my intentions.

    From that e-mail:

    2016-06-16 11-05-05 screenshot.png

    Postscripts

    I found a Secure Coding Guide in the Mac Developer Library. By Apple's definition, I should describe the vulnerability as an access control problem. A more specific page in that Library will be referenced if/when I disclose an outline of the vulnerability.

    Apparent file sharing security vulnerabilities in five or more versions of Apple Mac OS X
     
    Last edited: Jun 17, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.