How to request a change to a CVE record

Common Vulnerabilities and Exposures (CVE) IDs are essential for tracking software vulnerabilities, and when a vulnerability affects your software, creating a repository security advisory is crucial. To ensure your information reaches the appropriate source, you must contact the CVE Numbering Authority (CNA) that issued the CVE ID. GitHub, as part of a network of over 400 CNAs, can assist if it issued the CVE ID, and finding the appropriate CNA is facilitated by cve.org and nvd.nist.gov, where the CNA is listed in the CVE record. After identifying the CNA, their contact information can be found on the CVE partners' website, and communication should include the CVE ID, desired changes, and supporting evidence. While email is the preferred method for most CNAs, MITRE Corporation uses a web form for CVE-related communications. Clear context in communications aids the broader community, and response times from CNAs can vary, though certain rules stipulate timelines for CVE ID assignment and publication. If disputes arise, the CVE Program Policy provides procedures for escalation, with MITRE often serving as the top-level root for disputes. For further improvements on CVE records, the GitHub Advisory Database offers guides on editing security advisories.