CVEs based on commit messages
2024-1-28 06:3:4 Author: seclists.org(查看原文) 阅读量:14 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Mark Esler <mark.esler () canonical com>
Date: Fri, 26 Jan 2024 13:55:15 -0600

Dear Meng Rujie,

In regards to your recent FD posts, are you requesting CVEs based on the presence of strings in commit messages such as "null pointer dereference"?

Are you reaching out to each upstream project before assigning a CVE? Do you believe that every null pointer bug is a vulnerability? What impact are you hoping to achieve?

Please reconsider how you are requesting CVEs.

CVE assignment based on commit message allows unscrupulous comitters to take advantage of CNAs who do so and _print CVEs_ for their resume.

Kind regards,
Mark Esler

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread:

  • CVEs based on commit messages Mark Esler (Jan 27)

文章来源: https://seclists.org/fulldisclosure/2024/Jan/74
如有侵权请联系:admin#unsafe.sh