Please, does anyone have experience in this area? Background A few years ago with CVE-2009-0014 things went smoothly for me. Apple fixed the vulnerability, and gave credit. For more recent problems, first reported to Apple in February 2012, I have not yet received an identifier. In fairness to Apple: my early reports may have lacked what was required to make the problem easily reproducible; to have the security implications realised by other people. In the three years that followed I did little to actively pursue the problem. In November 2015 I wrote to Apple Product Security requesting a CVE identifier, with reference to my 2012 report. Apple Product Security found no security implication. At the end of May 2016 I took a little time to make the problem easily and consistently reproducible. With those steps to reproduce, again I requested a CVE identifier but unless I'm missing something: Apple has not responded. Re CVE - Request a CVE Identifier, as the software vendor – an officially recognized CVE Numbering Authority (CNA) – has not provided an identifier, should I now proceed with the alternative method? If you're familiar with that alternative method: please, what might I expect? Optimistically For my most recent e-mail to Apple I carbon copied the address @mitre.org, so it's possible that the two organisations are liaising, privately, before one or both will respond to me. If I don't gain a CVE identifier within the next few days All things considered, I may proceed to limited disclosure … then public disclosure on Saturday 18th June. Thoughts? Has anyone here communicated with Apple Public Relations about security vulnerabilities? For Apple UK and Ireland Public Relations I see an e-mail address and London telephone number in a 2010 press release, https://www.apple.com/uk/pr/library/2010/04/14Apple-Media-Advisory.html Thanks
This was posted back in March http://news.softpedia.com/news/cve-...-researchers-propose-alternative-501665.shtml
Thanks @stapp Distributed Weakness Filing (DWF) project At https://github.com/distributedweaknessfiling/DWF-Documentation/ "… will initially deal with assigning CVEs for Open Source software …" and as far as I can tell, the code is not within Apple open source for the affected software (Mac OS X) so at this time, I should not expect help from DWF. Still, I tweeted with reference to this topic: https://twitter.com/grahamperrin/status/739466601397882880
Still no response from Apple Product Security (follow up 631737871). Tweets were addressed to The Mitre Corporation and to Apple Support, neither gained a response. Apple Media Helpline +44-20-8278-1440 – this morning, option 3 rang without an answer for more than fifteen minutes (10:34–10:50) so I hung up. I then e-mailed the media.uk@ address so someone there might become aware, this afternoon or tomorrow, of my intentions. From that e-mail: Postscripts I found a Secure Coding Guide in the Mac Developer Library. By Apple's definition, I should describe the vulnerability as an access control problem. A more specific page in that Library will be referenced if/when I disclose an outline of the vulnerability. Apparent file sharing security vulnerabilities in five or more versions of Apple Mac OS X