Being on the Project Management Committee for the Apache Commons Project, I have found myself on various occasions needing to fix CVEs. I’ve personally found the process of documenting the CVE opaque and hard to understand. I’ve made mistakes in the process and want to share what I’ve learned so more people can contribute to the NVD. The more we know, the better our software is. I’ll go through the process that we use at Apache, specifically on the Apache Commons Project, for documenting a CVE in the NVD.
I’ll describe the steps to document a CVE in the NVD, and I’ll share some resources to make it easier if you ever have to document a CVE on one of your projects.