The Benefits of having a CVE assigned to your Research as a Security Researcher

Getting a CVE assigned to a vulnerability that you've discovered can be beneficial for Security Researchers in several ways

The Benefits of having a CVE assigned to your Research as a Security Researcher
Blueprint of a Fictional Computer

"The pursuit of knowledge is often a thankless task, but it is a task worth undertaking" - "The Demon-Haunted World: Science as a Candle in the Dark" by Carl Sagan

Table of Contents:

  • Overview
  • What is a CVE
  • Benefits for Security Researchers of having a CVE
    • Recognition
    • Credibility
    • Visibility
    • Career advancement
    • Responsible Disclosure
  • Reporting a CVE or 0day/Zero Day
  • Dark-side of Disclosures
  • Conclusion
  • Notes

Overview

Late last year I starting thinking about the goals I wanted to set for the New Year. In cybersecurity there is always something new to learn but this year I really wanted to feel like whatever I was working on would have some kind of meaningful impact.

For me I decided to pursue obtaining a CVE for some security research. Working for a Government makes it quite difficult to publish most of my work so instead I decided to focus on contributions to Open Source Software.

Another reason is that it's also more manageable than working in the competitive bug bounty space. Plus I feel reporting security issues that don't have a bounty is more about my own ethics and morals, to do some good in this world.

So here's my research on some additional benefits for pursuing getting CVEs.

What is a CVE

A CVE (Common Vulnerabilities and Exposures) (aka 0day, O-day, Zero Day) is a unique identifier assigned by the MITRE Corporation  to a specific vulnerability, which allows for easy tracking and identification of a security issue.

An example of a CVE number is

CVE-2021-24107

The format is CVE- followed by the four digit year of the assignation and a unique sequence number assigned by MITRE, so in this case the assignation was made in 2021 and it was the 24107th vulnerability assigned that year.

This CVE number helps in proper tracking of a vulnerability and is used by security professionals and researchers to identify and prioritize vulnerabilities in the software they use.

Benefits for Security Researchers of having a CVE

Getting a Common Vulnerabilities and Exposures (CVE) assigned to a vulnerability that you've discovered can be beneficial for Security Researchers in several ways:

1. Recognition

Having a CVE assigned to a vulnerability can help to establish the researcher's reputation as a skilled and reputable Security Researcher.

2. Credibility

CVEs are widely recognized and used in the security industry and they provide a credible way to reference and identify a vulnerability.

3. Visibility

Assigned CVEs are listed in the National Vulnerability Database (NVD), MITRE and other databases which are widely consulted by security experts, vendors, and organizations, thus providing visibility for the researcher and his finding.

4. Career Advancement

Having a CVE assigned to a vulnerability can help to advance a researcher's career, as it demonstrates their skills and experience in finding and reporting vulnerabilities.

5. Responsible Disclosure

Getting a CVE assigned can also help to ensure that the vulnerability is handled responsibly and that the vendor is notified and has the opportunity to develop a fix. By far, for me this is the most important benefit.

Reporting a CVE or 0day/Zero Day

Typically, the process of publishing a CVE isn't quite the same for each issue you report, there can be quite varying experiences between two similar CVEs, but here are some quick tips to consider when reporting.

  • Making sure the Vulnerability is New
  • Contacting the Product Owner
  • Coordinating the Vendor to Disclose Responsibly
  • Be Patient
  • Public Disclosure (No response after 90 days)

Dark-side of Disclosures

Disclosing vulnerabilities can be helpful, but it's important to keep in mind that once disclosed, threat actors may take advantage of them. Therefore, it's crucial to contact the vendor and follow responsible disclosure protocols before publishing.

If you're participating in a bug bounty program run by the vendor, their disclosure policies may prevent you from sharing your findings.

Conclusion

CVE is not a requirement to conduct security research or to participate in bug bounties, lots of  organizations and researchers (like myself) don't report vulnerabilities through the official channels. It really depends on the researcher's goals and the organization's policy.

Ultimately, everyone has there own motivations and reasons for doing their particular research, but for me I enjoy the technical challenge and the means by which to leave the world a little bit better, and safer than how I found it.

Notes

💡
Read more about Vulnerability Research in the FREE online Book that I'm currently writing, Vulnerability Research Handbook