[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVEs based on commit messages
From: Mark Esler <mark.esler () canonical ! com>
Date: 2024-01-26 19:55:15
Message-ID: 7f1d973e-3c98-43cf-bdb1-a2d6557d13b0 () canonical ! com
[Download RAW message or body]
Dear Meng Rujie,
In regards to your recent FD posts, are you requesting CVEs based on the
presence of strings in commit messages such as "null pointer dereference"?
Are you reaching out to each upstream project before assigning a CVE? Do
you believe that every null pointer bug is a vulnerability? What impact
are you hoping to achieve?
Please reconsider how you are requesting CVEs.
CVE assignment based on commit message allows unscrupulous comitters to
take advantage of CNAs who do so and _print CVEs_ for their resume.
Kind regards,
Mark Esler
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic