So in general you can always contact the CNA of last resort (Mitre) who will direct you to the right place if it's hard to figure out how/why something got assigned.
However, you can find out the issuing CNA from the cve.org site; in this case https://www.cve.org/CVERecord?id=CVE-2023-35116 and 'view json' gives you the CNA details as "mitre". So this one was not through a CNA but likely someone gave a direct request to Mitre via the request form. And hence https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre so in this case using https://cveform.mitre.org/ is the contact method for a dispute. Regards, Mark On Sun, Jun 18, 2023 at 6:45 PM PJ Fanning <fannin...@apache.org> wrote: > Hi everyone, > > There is a PDF about disputing a CVE but it does not say precisely who > to contact [1]. > > I have no idea who the CNA is in my case (CVE-2023-35116). > > The CVE that I want to dispute was added without any attempt to > contact the Jackson developers. Someone spotted a GitHub issue that we > explicitly rejected as a security issue. [2] [3] > > Does anyone know where we can find out who the CNA is? I guess even > knowing the CNA is only part of the way there because we will need to > find out how to file a complaint. > > Any help would be appreciated. > > Regards, > PJ > > > > [1] > https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf > [2] > https://github.com/CVEProject/cvelist/blob/master/2023/35xxx/CVE-2023-35116.json > [3] https://github.com/FasterXML/jackson-databind/issues/3972 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >