How are CVE identifiers assigned and managed?

There are multiple ways to obtain a CVE.

One could contact one of the CVE Numbering Authorities (CNA), an emergency response team (think CERT) or the CVE project. If the vendor of a product is listed as a CNA you must contact the vendor to obtain a CVE.

Sufficient information must be provided to allow the CVE assigner to take a decision (provide the CVE, merge with other CVEs etc).

For more information see http://cve.mitre.org/cve/request_id.html and http://cve.mitre.org/cve/cna.html#researcher_responsibilities

Some vendors such as Drupal will request CVE identifiers in bulk via openwall for published security announcements that do not already have a CVE requested by the researcher.