In order to automate the CVE ID reservation during the security release process, I'm exploring different options such as MITRE since they have public apis https://cveawg-test.mitre.org/api-docs/ (unlike h1)
I was wondering if node has already an account on Mitre and is registered as organization. (Organizational Administrator (OA) account for the CVE Services), or any other service that allows reserving a CVE id

cc @mhdawson @tniessen

Node.js is a CNA, but the project intentionally abandoned that role in favor of HackerOne.

Node.js is a CNA, but the project intentionally abandoned that role in favor of HackerOne.

Unfortunately h1 does not provide public API to request cve id, can only be done from the UI 😔
Would it be possible to rethink this decision (using mietre to reserve cve rather than h1) given the possibility of automating the process?

Would it be possible to rethink this decisione given the possibility of automating the process?

I suppose it depends on the pros and cons of each option, not just on the availability of an API. For example, while HackerOne doesn't provide a great UX for CVE requests, perhaps it allows better access control and auditing than MITRE. On a side note, I think @RafaelGSS suggested using the GitHub CNA, but I've never used that one, so I can't speak to its pros or cons.

FWIW, automating CVE issuing would be nice, but it often requires a lot of manual data entry. For example, the person doing the security release sometimes benefits from someone else filling in the CVE request based on familiarity with the issue.

H1 is good, but it's far from what I believe of a good platform to handle security reports. For now, we could reserve the CVE-ID through Mitre and just update it in the H1 report.

But, it will require two steps:

1. Reserve the CVE-ID - before publishing the security release
2. Publish the CVE-ID - after publishing the security release

Note that H1 has some problems with the latter (specifically when the reporter does not accept the disclosure of the report). I think a discussion of changing our platform would be great, but it's out of scope now.

FWIW, automating CVE issuing would be nice, but it often requires a lot of manual data entry. For example, the person doing the security release sometimes benefits from someone else filling in the CVE request based on familiarity with the issue.

Once we fulfil the report "team summary" we can use it in several places:

• CVE description
• Pos release announcement
• Store in our vulnerabilities db

We are still a CNA with Mitre, even though we use H1 to manage our CVEs. If you can help me understand what we need a bit more I can see if being a CNA helps us get it.

I'll also add that I don't think we need to chose an either or up front. We can continue to use H1 even if we experiment with getting CVEs through Mitre as a CNA.

In the past we had to manually request a block up front, but it was a long time ago so if there are bette API that we can automate that would be good.

One thing I do think is valuable is the linkage between the H1 reports and the CVEs so regardless of how that is done I think we want to make sure we can easily link the CVE to the H1 report.

@RafaelGSS correct me if I'wrong
So the worflow would be:

• Create the security release issue
• Request CVE ids on mitre for each of the reports
• Update the h1 report with the assigned id
• When creating the private release, create the CVE on mitre with the id previously created
• Create the public release and then update the status of the CVE to disclosed

Right now you can request request cve id and create cve manually on h1.
In order to automate this process we could use mitre only for the cve creation and keep h1 for everything else

From what I can see on the swagger: https://cveawg-test.mitre.org/api-docs/
It is possible to reserve id singularly or batch
And the create cve with the id previously create

One thing I do think is valuable is the linkage between the H1 reports and the CVEs

Another important security aspect is that HackerOne provides somewhat granular access control as well as both an audit log for administrative operations (similar to GitHub) and a log of all CVE publication/update requests. If we build automation around some API, we probably want to ensure some level of auditability as well.

One thing I do think is valuable is the linkage between the H1 reports and the CVEs

Another important security aspect is that HackerOne provides somewhat granular access control as well as both an audit log for administrative operations (similar to GitHub) and a log of all CVE publication/update requests. If we build automation around some API, we probably want to ensure some level of auditability as well.

I hope mitre keeps track of those information. Also worth investigating in the granularity of the api tokens generated by mitre. Would it be possible for me to access the organization on mitre?

I think it would be good to try to set up a meeting with H1 to explain our use case and that we might need to move to Mitre directly for CVE creation to automate. The goal being to convince them to add APIs. @marco-ippolito maybe you me/Rafael can get together to try to set that discussion up if you think it makes sense.

@mhdawson that would be great!

Created this H1 support issue to start the conversation - https://support.hackerone.com/support/tickets/505857

So according H1 support, they do not support request CVEs neither updating reports CVEs 😢
So even if we request the CVE externally we cannot update the report from h1 APIs (@mhdawson can you ask support to confirm?).

From what they said they don't have any API related to CVEs at this point. Looking forward to hearing if its something they can prioritize or not.

If we can use mitre APIs, this would be easier. Maybe we do the CVE allocation ourselves? We can keep using H1 for the rest.

If we can use mitre APIs, this would be easier. Maybe we do the CVE allocation ourselves? We can keep using H1 for the rest.

Yes, with mitre apis we can automate cve request. The only issue I see is that h1 doesnt provide apis to update cve id on report meaning it has to be done manually. H1 support said its in their backlog

Given that is not possible to automate requesting cve from Hackerone can I request access to Mitre?

Can you point me to how we request access? I think I'm the contact so I may need to be involve din the request.

Can you point me to how we request access? I think I'm the contact so I may need to be involve din the request.

I honestly dont have this information, I dont have experience with mitre as cna

How about we get together and try to figure it out. Would 11 after the security WG meeting on Thursday work for you?

How about we get together and try to figure it out. Would 11 after the security WG meeting on Thursday work for you?

Yes 👍

Since hackerone does not have api to update the cve id on the report, it probably does not make sense to automate the cve creation for the time being. The support said its on their backlog so I expect it to be implemented somewhere in the future.
Ill keep this issue opened and update it as soon as we have news

I disagree. The hard part of creating the CVEs is filling the reports correctly with the correct version ranges. Moreover this information must be put into two public places (the CVE and our github repo).

I've made quite a few mistakes on this front. Please automate this.

Setting the CVE id in the H1 reports is the icing on the cake on an error proprone process.

@mcollina I think in V0.1, automating the generation of what needs to be filled in in H1 for CVEs will be a great step. If/when APIs are available (which we are discussing with H1) then the actual updates could be automated. In the mean time, generating the summary of the correct version ranges based on the releases will help avoid errors.

What I'm pointing out is that setting the CVE on H1 report is just a tiny step to copy-paste. We can create the CVE with Mitre, set it into the various documents, and only copy-paste it into the H1 report. Instead, @marco-ippolito proposes to copy-paste all the CVE requests into H1, plus copy-paste the the CVE ids into the H1 reports: we are not blocked by a missing H1 API to automate 90% of this.

I think the "end" automation should include this, but it can definitely be v0.2.

I think the "end" automation should include this, but it can definitely be v0.2.

k, that is what I was trying to express.

We received an update from H1, they have create APIs to automate cve requesting etc... 🥳🥳🥳 Ill test them and see if thet fit our use case