Request CVEs

What it does

This skill automates producing professional CVE request packages from pentest findings. For each qualifying finding it generates MITRE CVE form data, a GitHub Security Advisory draft, a full disclosure report, a vendor notification email template, and machine-readable candidate JSON. It also provides CWE mapping, CVSS guidance, and a reproducible workflow for responsible disclosure.

When to use it

Invoke this skill after completing a penetration test when you have verified, true-positive findings that merit CVE requests. Use it to standardize disclosure artifacts before contacting vendors or submitting MITRE/GitHub advisories. The skill is user-invocable only and expects researcher contact info as input.

What's included

• Scripts: none embedded (has_scripts=false) — the SKILL defines detailed templates and file outputs to generate per-candidate request packages.
• References: none embedded (has_references=false) — contains CWE mappings, CVSS reference, and artifact templates for MITRE/GitHub/vendor.
• Instructions: comprehensive workflow covering input discovery (cve-candidates.json/findings.json), filtering criteria, enrichment fields to compute, artifact formats, and rules for responsible disclosure.

Compatible agents

Best used by security-focused agents or human-guided workflows able to read findings files, compute CVSS, and write filesystem artifacts (Pentest agents, Claude Code capable agents).