| 35 | | Because WebKit developers regularly fix a high volume of crash reports, it would be impractical to request a CVE each time a security issue is resolved. Instead, CVEs are generally only issued for vulnerabilities discovered by third-party security researchers. This is a cynical approach to security advisory, but to request a CVE for every vulnerability would be implausible. Still, we have occasionally requested CVEs for unusually-noteworthy issues. Previous examples have included TLS certificate verification issues, message validation issues in WebKit's IPC framework, or proxy bypass issues where WebKit fails to respect the user's configured proxy settings. To request a CVE |
| | 35 | Because WebKit developers regularly fix a high volume of crash reports, it would be impractical to request a CVE each time a security issue is resolved. Instead, CVEs are generally only issued for vulnerabilities discovered by third-party security researchers. This is a cynical approach to security advisory, but to request a CVE for every vulnerability would be implausible. Still, we have occasionally requested CVEs for unusually-noteworthy issues. Previous examples have included TLS certificate verification issues, message validation issues in WebKit's IPC framework, or proxy bypass issues where WebKit fails to respect the user's configured proxy settings. To request a CVE for issues that do not affect Apple ports, use [https://cveform.mitre.org/ MITRE's web form] and ignore all the instructions telling you not to use the form and to use other CNAs instead. If you try to get a CVE from another CNA instead of using MITRE's request form, you're just going to waste your time. In particular, do not use the DWF CNA. |
