Reporting CVE Data Issues

Overview

Sometimes CVE data published on cve.org or NIST NVD is incorrect – wrong affected package, wrong severity score, wrong affected version range, or missing fix information. When this happens, the incorrect data propagates into vulnerability scanners and can cause false positives (or false negatives) for Hummingbird container images.

This document describes how to report these issues to get the data corrected at the source.

When to Report

Report a CVE data issue when you find any of the following:

  • Wrong affected package – the CVE Record lists a package that is not actually affected
  • Wrong version range – the affected or fixed version boundaries are incorrect
  • Wrong severity – the CVSS score or severity rating does not match the actual impact
  • Missing fix information – a fix exists upstream but the CVE Record does not reflect it
  • Wrong CPE match – the NVD CPE configuration matches products that are not affected

How to Report

Reporting to the CVE Program (cve.org)

The CVE Program accepts corrections through the CVE Numbering Authority (CNA) that owns the record.

  1. Find the CVE Record at https://www.cve.org/CVERecord?id=CVE-YYYY-XXXXX.
  2. Identify the CNA listed in the record (shown in the “Assigning CNA” field).
  3. Contact the CNA directly to request a correction. Most CNAs accept reports via:
    • Their security reporting email (often listed in their CNA page)
    • GitHub issues if the CNA is an open source project
  4. If the CNA is unresponsive, use the CVE Program Request form to dispute the record.

Reporting to NIST NVD

NIST NVD enriches CVE Records with CVSS scores and CPE match data. To request corrections:

  1. Navigate to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXXX.
  2. Click the “Contact” link or email nvd@nist.gov with:
    • The CVE ID
    • The specific field that is incorrect
    • Evidence of the correct data (links to upstream commits, release notes, etc.)

Reporting to Red Hat Product Security

If the incorrect CVE data is causing issues in Red Hat’s vulnerability tracking:

  1. File a Jira ticket in the HUM project with the CVE ID and a description of the data issue.
  2. Red Hat Product Security can update the VEX feed to reflect the correct disposition for Hummingbird, even before the upstream CVE data is corrected.

Tracking the Correction

After reporting, track the status of the correction:

  • CVE Record updates are published at https://www.cve.org/CVERecord?id=CVE-YYYY-XXXXX
  • NVD updates appear at https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXXX (NVD may take days to weeks to process corrections)
  • Update the HUM Jira ticket with the correction status so the team is aware