commit e7b074f4cd1aa1ea4491a9b074cf85d1376d4921 Author: CVE Team Date: Mon Oct 16 12:26:05 2017 -0400 - Added. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000000..881776d1477 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,55 @@ +# How to contribute + +## Notes + +1. Only members of the CVE Automation Working Group should create +pull requests or open issues in this repository currently. Going +forward, we hope to allow progressively wider participation; eg, from +CNAs generally and then security researchers and other cybersecurity +community members. Until then, others who wish to contribute should +use the [CVE Request web form](https://cveform.mitre.org). + +2. Only submit information that is intended to become public +immediately. There is **no support** for embargoed submissions!! + +3. Understand that this is only a pilot - it could be changed +significantly or even halted. + +4. Submissions should be made subject to the [CVE Submissions +License Terms of Use](https://cve.mitre.org/about/termsofuse.html). + +5. It is **strongly recommended** that submissions use [signed +commits](https://help.github.com/articles/signing-commits-with-gpg/). + + + +## Sending Data about CVE Entries to MITRE + +0. If you haven't done so already, fork the _cvelist_ repository. + +1. Ensure your fork is up to date. + +2. Create a new branch. We recommend grouping related updates into a +single submission and using a separate branch for each submission. +For example, one CNA may choose to have a single submission for each +monthly patch bundle, while another may opt for a daily submission. + +3. Make changes to one or more files. **NB:** limit your changes to +only those portions of the JSON that need to be updated rather than +naively overwriting the entire file. + +4. Create a pull request to merge the changes in your new branch into +the cvelist master. + +After a pull request has been submitted, the CVE Team will review the +submission and work with you to resolve issues. Then the CVE Team +will merge the updated files into the "master" branch and use the +supplied information to update the associated entries in the CVE List +itself. + + +## Contact + +Direct questions, comments, or concerns about use of this repo to the CVE +Team using the [CVE Request web form](https://cveform.mitre.org). + diff --git a/README.md b/README.md new file mode 100644 index 00000000000..507f7526fe8 --- /dev/null +++ b/README.md @@ -0,0 +1,45 @@ +# CVE Automation Working Group Git Pilot + +The [CVE Automation Working +Group](https://github.com/CVEProject/automation-working-group) is +piloting use of git to share information about public vulnerabilities. +The goal is to learn not only what features are necessary to support +the "plumbing" of sending and receiving the data, but also which +attributes and metadata are needed in the CVE format to support +automation. + +This repository holds information included in the [CVE +List](https://cve.mitre.org) formatted using the [CVE JSON +format](https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema). + +Use of the CVE information in this repository is subject to the [CVE +Terms of Use](https://cve.mitre.org/about/termsofuse.html). + + +## Overview of the Repository + +Information about each CVE id is stored as a unique file in the repo +in a subdirectory based on the year as well as the numeric portion of +the id, truncated by 1,000. Thus, [2017/3xxx](2017/3xxx) is for +CVE-2017-3000 - CVE-2017-3999, and [2017/1002xxx](2017/1002xxx) is for +CVE-2017-1002000 - CVE-2017-1002999. + +The CVE Team updates these files automatically every hour using +information from the CVE List, provided there have been changes. The +synchronization job kicks off at the top of the hour and should +complete within 5 minutes. + +For ids that have been populated, the files contain the description +and references that appear in the [CVE +List](https://cve.mitre.org/cve/cve.html). They may also contain +information about the affected product(s) and problem type(s), which +CNAs have been supplying when making assignments during the past year +but which is not included in the CVE List. And going forward, it is +hoped that they will contain a richer collection of information about +the vulnerability, as supported by the full CVE JSON schema. + + +## Contact + +Direct questions, comments, or concerns about use of this repo to the CVE +Team using the [CVE Request web form](https://cveform.mitre.org).