Secure, Vulnerability Research - CNA Processes
This handbook page is intended to document CNA processes that the Vulnerability Research team uses in contributing to GitLab’s role as a CNA.
CVE Requests
CWEs, CVSS Scores, and Descriptions
- Start with identifying an accurate CWE for the vulnerability
- Review the CVSS score that the submitter provided
- If the CVSS score is largely out-of-line with what you would expect based on the CWE and the description, confirm with the submitter that the score makes sense
- If clear reasons exist for the unexpected CVSS metrics, add a note in the
description to this effect. For example, "… Overall impact is limited
due to the user only being able to affect their own account"
- Note The CVSS score should make sense from an outside perspective when only having access to the CVE description and CWE
GPG Key
The email cve@gitlab.com has
a GPG key that the
Vulnerability Research team uses during CNA procesess.
Extending Public Key
The GitLab cve@gitlab.com email’s public GPG key is set to expire every six
months. Follow these steps to extend the expiration by another six months:
- Have both the public and private keys to
cve@gitlab.comlocally. - List the keys with
gpg --list-keys$> gpg --list-keys /home/user/.gnupg/pubring.kbx ------------------------------ pub rsa4096 2020-00-00 [SC] [expires: 2020-06-00] AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ uid [ultimate] GitLab CVE <cve@gitlab.com> sub rsa4096 2020-00-00 [E] [expires: 2020-06-00] - Edit the key with
gpg --edit-key AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ - Set the expiration date on the key to another
6mwith theexpireinteractive command:$> gpg --edit-key AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ ... gpg> expire ... Key is valid for? (0) 6m
Once the expiration on the public key is extended by another six months, export an armored version of the key with:
gpg --export --armor AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
You may also want to fetch the ID of the key with. The ID is the last 16
characters of the long-form key AAAABBBBCCCCDDDDEEEEFFFF[GGGGHHHHIIIIJJJJ]:
gpg --list-signatures cve@gitlab.com
Update Locations
The new public GPG key needs to be updated in the following locations:
Last modified December 13, 2023: Move development files in place (
c26f66f9)
