"The pursuit of knowledge is often a thankless task, but it is a task worth undertaking" - "The Demon-Haunted World: Science as a Candle in the Dark" by Carl Sagan
Table of Contents:
- What is a CVE
- Benefits for Security Researchers of having a CVE
- Career advancement
- Responsible Disclosure
- Reporting a CVE or 0day/Zero Day
- Dark-side of Disclosures
Late last year I starting thinking about the goals I wanted to set for the New Year. In cybersecurity there is always something new to learn but this year I really wanted to feel like whatever I was working on would have some kind of meaningful impact.
For me I decided to pursue obtaining a CVE for some security research. Working for a Government makes it quite difficult to publish most of my work so instead I decided to focus on contributions to Open Source Software.
Another reason is that it's also more manageable than working in the competitive bug bounty space. Plus I feel reporting security issues that don't have a bounty is more about my own ethics and morals, to do some good in this world.
So here's my research on some additional benefits for pursuing getting CVEs.
What is a CVE
A CVE (Common Vulnerabilities and Exposures) (aka 0day, O-day, Zero Day) is a unique identifier assigned by the MITRE Corporation to a specific vulnerability, which allows for easy tracking and identification of a security issue.
An example of a CVE number is
The format is
CVE- followed by the four digit year of the assignation and a unique sequence number assigned by MITRE, so in this case the assignation was made in
2021 and it was the
24107th vulnerability assigned that year.
This CVE number helps in proper tracking of a vulnerability and is used by security professionals and researchers to identify and prioritize vulnerabilities in the software they use.
Benefits for Security Researchers of having a CVE
Getting a Common Vulnerabilities and Exposures (CVE) assigned to a vulnerability that you've discovered can be beneficial for Security Researchers in several ways:
Having a CVE assigned to a vulnerability can help to establish the researcher's reputation as a skilled and reputable Security Researcher.
CVEs are widely recognized and used in the security industry and they provide a credible way to reference and identify a vulnerability.
Assigned CVEs are listed in the National Vulnerability Database (NVD), MITRE and other databases which are widely consulted by security experts, vendors, and organizations, thus providing visibility for the researcher and his finding.
4. Career Advancement
Having a CVE assigned to a vulnerability can help to advance a researcher's career, as it demonstrates their skills and experience in finding and reporting vulnerabilities.
5. Responsible Disclosure
Getting a CVE assigned can also help to ensure that the vulnerability is handled responsibly and that the vendor is notified and has the opportunity to develop a fix. By far, for me this is the most important benefit.
Reporting a CVE or 0day/Zero Day
Typically, the process of publishing a CVE isn't quite the same for each issue you report, there can be quite varying experiences between two similar CVEs, but here are some quick tips to consider when reporting.
- Making sure the Vulnerability is New
- Contacting the Product Owner
- Coordinating the Vendor to Disclose Responsibly
- Be Patient
- Public Disclosure (No response after 90 days)
Dark-side of Disclosures
Disclosing vulnerabilities can be helpful, but it's important to keep in mind that once disclosed, threat actors may take advantage of them. Therefore, it's crucial to contact the vendor and follow responsible disclosure protocols before publishing.
If you're participating in a bug bounty program run by the vendor, their disclosure policies may prevent you from sharing your findings.
CVE is not a requirement to conduct security research or to participate in bug bounties, lots of organizations and researchers (like myself) don't report vulnerabilities through the official channels. It really depends on the researcher's goals and the organization's policy.
Ultimately, everyone has there own motivations and reasons for doing their particular research, but for me I enjoy the technical challenge and the means by which to leave the world a little bit better, and safer than how I found it.
- A Simple Guide to Getting CVEs Published
- How to register and publish a CVE for your awesome vulnerability
- The Demon-Haunted World: Science as a Candle in the Dark by Carl Sagan
- National Vulnerability Database