5 comments

[ 3.5 ms ] story [ 15.7 ms ] thread
Under current CVE rules, vendors are "are left to their own discretion to determine whether something is a vulnerability". The !CVE program provides a space to report vulnerabilities that vendors do not acknowledge, but that are nonetheless important to the security community.
> Under current CVE rules, vendors are "are left to their own discretion to determine whether something is a vulnerability".

I don't think that's true (at least not in practice), because if it were, then problems like https://news.ycombinator.com/item?id=37267940 and https://news.ycombinator.com/item?id=37394919 wouldn't happen.

Both of your examples are for Curl. Daniel isn't a "CVE Numbering Authority", so he can't arbitrarily reject CVEs for Curl that he doesn't want to acknowledge. Big software vendors generally are[0] and have much more leeway in deciding to grant a CVE or not for their own products.

The two examples you provided are a problem, but so is the current CNA system that is an inherent conflict of interest.

0 - https://www.cve.org/PartnerInformation/ListofPartners

Interesting initiative! How do you deal with validation and fakes that typically plague these things, if I may ask?
I'm not affiliated with !CVE in any way, but based on what I've read, they have a standard review committee minus the whole CNA scheme.

If I was affiliated, I'd want to see a POC for whatever someone was claiming.