Under current CVE rules, vendors are "are left to their own discretion to determine whether something is a vulnerability". The !CVE program provides a space to report vulnerabilities that vendors do not acknowledge, but that are nonetheless important to the security community.
Both of your examples are for Curl. Daniel isn't a "CVE Numbering Authority", so he can't arbitrarily reject CVEs for Curl that he doesn't want to acknowledge. Big software vendors generally are[0] and have much more leeway in deciding to grant a CVE or not for their own products.
The two examples you provided are a problem, but so is the current CNA system that is an inherent conflict of interest.
5 comments
[ 3.5 ms ] story [ 15.7 ms ] threadI don't think that's true (at least not in practice), because if it were, then problems like https://news.ycombinator.com/item?id=37267940 and https://news.ycombinator.com/item?id=37394919 wouldn't happen.
The two examples you provided are a problem, but so is the current CNA system that is an inherent conflict of interest.
0 - https://www.cve.org/PartnerInformation/ListofPartners
If I was affiliated, I'd want to see a POC for whatever someone was claiming.