Information on getting CVE identifiers for issues with open source projects is available from Red Hat[9] and GitHub.
[10] CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used.
For CVEs assigned by CNAs (e.g., Microsoft, Oracle, HP, Red Hat) this is also the date that was created by Mitre, not by the CNA.
This also means no changes will be needed to previously assigned CVE-IDs, which all include a minimum of four digits.
CVE attempts to assign one CVE per security issue; however, in many cases this would lead to an extremely large number of CVEs (e.g., where several dozen cross-site scripting vulnerabilities are found in a PHP application due to lack of use of htmlspecialchars() or the insecure creation of files in /tmp).
[13] To deal with this, guidelines (subject to change) cover the splitting and merging of issues into distinct CVE numbers.
If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
Per section 7 of the CNA Rules, a vendor which received a report about a security vulnerability has full discretion in regards to it.
[15] This can lead to a conflict of interest as a vendor may attempt to leave flaws unpatched by denying a CVE assignment at first place – a decision which Mitre can't reverse.