Gaining a CVE identifier when the software vendor does not provide one

Discussion in 'other software & services' started by grahamperrin, Jun 5, 2016.

  1. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
    Please, does anyone have experience in this area?

    Background

    A few years ago with CVE-2009-0014 things went smoothly for me. Apple fixed the vulnerability, and gave credit.

    For more recent problems, first reported to Apple in February 2012, I have not yet received an identifier. In fairness to Apple: my early reports may have lacked what was required to make the problem easily reproducible; to have the security implications realised by other people. In the three years that followed I did little to actively pursue the problem.

    In November 2015 I wrote to Apple Product Security requesting a CVE identifier, with reference to my 2012 report. Apple Product Security found no security implication.

    At the end of May 2016 I took a little time to make the problem easily and consistently reproducible. With those steps to reproduce, again I requested a CVE identifier but unless I'm missing something: Apple has not responded.

    Re CVE - Request a CVE Identifier, as the software vendor – an officially recognized CVE Numbering Authority (CNA) – has not provided an identifier, should I now proceed with the alternative method?

    If you're familiar with that alternative method:
    • please, what might I expect?

    Optimistically

    For my most recent e-mail to Apple I carbon copied the address @mitre.org, so it's possible that the two organisations are liaising, privately, before one or both will respond to me.

    If I don't gain a CVE identifier within the next few days

    All things considered, I may proceed to limited disclosure … then public disclosure on Saturday 18th June.

    Thoughts?

    Has anyone here communicated with Apple Public Relations about security vulnerabilities? ​

    For Apple UK and Ireland Public Relations I see an e-mail address and London telephone number in a 2010 press release, https://www.apple.com/uk/pr/library/2010/04/14Apple-Media-Advisory.html

    Thanks
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,299
    Location:
    England
  3. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
  4. grahamperrin

    grahamperrin Registered Member

    Joined:
    Aug 30, 2010
    Posts:
    7
    Location:
    Brighton and Hove, United Kingdom
    Still no response from Apple Product Security (follow up 631737871).

    Tweets were addressed to The Mitre Corporation and to Apple Support, neither gained a response.

    Apple Media Helpline +44-20-8278-1440 – this morning, option 3 rang without an answer for more than fifteen minutes (10:34–10:50) so I hung up. I then e-mailed the media.uk@ address so someone there might become aware, this afternoon or tomorrow, of my intentions.

    From that e-mail:

    2016-06-16 11-05-05 screenshot.png

    Postscripts

    I found a Secure Coding Guide in the Mac Developer Library. By Apple's definition, I should describe the vulnerability as an access control problem. A more specific page in that Library will be referenced if/when I disclose an outline of the vulnerability.

    Apparent file sharing security vulnerabilities in five or more versions of Apple Mac OS X
     
    Last edited: Jun 17, 2016
Loading...