Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025
Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025

How to request a change to a CVE record


Ever come across a Common Vulnerabilities and Exposures (CVE) ID affecting software you use or maintain and thought the information could be better?

CVE IDs are a widely-used system for tracking software vulnerabilities. When a vulnerable dependency affects your software, you can create a repository security advisory to alert others. But if you want your insight to reach the most upstream data source possible, you’ll need to contact the CVE Numbering Authority (CNA) that issued the vulnerability’s CVE ID.

GitHub, as part of a community of over 400 CNAs, can help in cases when GitHub issued the CVE (such as with this community contribution). And with just a few key details, you can identify the right CNA and reach out with the necessary context. This guide shows you how.

Step 1: Find the CNA that issued the CVE

Every CVE record contains an entry that includes the name of the CNA that issued the CVE ID. The CNA is responsible for updating the CVE record after its initial publication, so any requests should be directed to them.

On cve.org, the CNA is listed as the first piece of information under the “Required CVE Record Information” header. The information is also available on the right side of the page.

A screenshot of the cve.org record for CVE-2023-29012, with a yellow rectangle drawn around the “CNA” field to draw attention to the fact that “GitHub (Maintainer Security Advisories)” is the CNA for CVE-2023-29012.

On nvd.nist.gov, information about the issuing CNA is available in the “QUICK INFO” box. The issuing CNA is called “Source”.

A screenshot of the nist.nvd.gov record for CVE-2023-29012, with a yellow rectangle drawn around the “Source” field to draw attention to the fact that “GitHub, Inc.” is the CNA for CVE-2023-29012.

Step 2: Find the contact information for the CNA

After identifying the CNA from the CVE record, locate their official contact information to request updates or changes. That information is available on the CNA partners website at https://www.cve.org/PartnerInformation/ListofPartners.

Search for the CNA’s name in the search bar. Some organizations may have more than one CNA, so make sure that the CVE you want corresponds to the correct CNA.

A screenshot of the cve.org “List of Partners.” The “Search” bar shows “GitHub,” being searched for, with two results of the search shown under the search bar. Those results are “GitHub, Inc.,” the CNA that matches the CNA responsible for CVE-2023-29012, and “GitHub, Inc. (Products Only),” a different CNA that GitHub also operates.

The left column, under “Partner,” has the name of the CNA that links to a profile page with its scope and contact information.

Step 3: Contact the CNA

Most CNAs have an email address for CVE-related communications. Click the link under “Step 2: Contact” that says Email to find the CNA’s email address.

A screenshot of the cve.org entry for the CNA “GitHub, Inc.” A yellow rectangle is drawn around a header and a link. The header reads “Step 2: Contact” and shows a link that says “Email” directly below the header.

The most notable exception to the general preference for email communication among CNAs is the MITRE Corporation, the world’s most prolific CVE Numbering Authority. MITRE uses a webform at https://cveform.mitre.org/ for submitting requests to create, update, dispute, or reject CVEs.

What to include in your communication to the CNA

  • The CVE ID you want to discuss
  • The information you want to add, remove, or change within the CVE record
  • Why you want to change the information
  • Supporting evidence, usually in the form of a reference link

Including publicly available reference links is important, as they justify the changes. Examples of reference links include:

  • A publicly available vulnerability report, advisory, or proof-of-concept
  • A fix commit or release notes that describe a patch
  • An issue in the affected repository in which the maintainer discusses the vulnerability in their software with the community
  • A community contribution pull request that suggests a change to the CVE’s corresponding GitHub Security Advisory

When submitting changes, keep in mind that the CNA isn’t your only audience. Clear context around disclosure decisions and vulnerability details helps the broader developer and security community understand the risks and make informed decisions about mitigation.

The time it takes for a CNA to respond may vary. Rules 3.2.4.1 and 3.2.4.2 of the CVE CNA rules state:

“3.2.4.1 Subject to their respective CNA Scope Definitions, CNAs MUST respond in a timely manner to CVE ID assignment requests submitted through the CNA’s public POC.

3.2.4.2 CNAs SHOULD document their expected response times, including those for the public POC.”

The CNA rules establish firm timelines for assignment of CVE IDs to vulnerabilities that are already public knowledge. For CVE ID assignment or record publication in particular, section 4.2 and section 4.5 of the CVE CNA rules establish 72 hours as the time limit in which CNAs should issue CVE IDs or publish CVE records for publicly-known vulnerabilities. However, no such guidance exists for changing a CVE record.

What if the CNA doesn’t respond or disagrees with me?

If the CNA doesn’t respond or you cannot reach an agreement about the content of the CVE record, the next step is to engage in the dispute process.

The CVE Program Policy and Procedure for Disputing a CVE Record provides details on how you may go about disputing a CVE record and escalating a dispute. The details of that process are beyond the scope of this post. However, if you end up disputing a CVE record, it’s good to know who the root or top-level root of the CNA is that reviews the dispute.

When viewing a CNA’s partner page linked from https://www.cve.org/PartnerInformation/ListofPartners, you can find the CNA’s root under the column “Top-Level Root.” For most CNAs, their root is the Top-Level Root, MITRE.

A screenshot of the cve.org entry for the CNA “GitHub, Inc.” A yellow rectangle is drawn around an entry in a table to draw attention to the two items in the table that are being discussed in the post. The left column contains the category “Top-Level Root,” and the right column contains the entry “MITRE Corporation,” with the text containing a link to a page about the MITRE Corporation.

Want to improve a CVE record and a CVE record’s corresponding security advisory? Learn more about editing security advisories in the GitHub Advisory Database.

Tags:

Written by

Shelby Cunningham

Shelby Cunningham

@shelbyc

Security Analyst, curator of the GitHub Advisory Database, and one of the members of the Security Lab responsible for issuing CVE IDs and publishing CVE records.

Blog Article: Here

    • Ascendant Bot

    Related Posts

    Introducing sub-issues: Enhancing issue management on GitHub
    Introducing sub-issues: Enhancing issue management on GitHub

    Explore the iterative development journey of GitHub’s sub-issues feature. Learn how we leveraged sub-issues to build and refine sub-issues, breaking down larger tasks into smaller, manageable ones.

    The post Introducing sub-issues: Enhancing issue management on GitHub appeared first on The GitHub Blog.

    Continue reading
    What the heck is MCP and why is everyone talking about it?
    What the heck is MCP and why is everyone talking about it?

    Everyone’s talking about MCP these days when it comes to large language models (LLMs)—here’s what you need to know.

    The post What the heck is MCP and why is everyone talking about it? appeared first on The GitHub Blog.

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Engineering GitHub GitHub Issues How GitHub builds GitHub NVIDIA Hopper Architecture

    Introducing sub-issues: Enhancing issue management on GitHub

    Introducing sub-issues: Enhancing issue management on GitHub
    Google Google Cloud

    9 business leaders on what’s possible with Google AI

    9 business leaders on what’s possible with Google AI
    agentic AI GitHub GitHub Copilot LLM LLMs Model Context Protocol Open Source Open Standards

    What the heck is MCP and why is everyone talking about it?

    What the heck is MCP and why is everyone talking about it?
    Salesforce Uncategorized

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI
    Artificial Intelligence Enterprise software Generative AI In the NVIDIA Studio Into the Omniverse NVIDIA Inception

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design
    Google Google Cloud

    6 highlights from Google Cloud Next 25

    6 highlights from Google Cloud Next 25