Full Disclosure mailing list archives
CVEs based on commit messages
From: Mark Esler <mark.esler () canonical com>
Date: Fri, 26 Jan 2024 13:55:15 -0600
Dear Meng Rujie,In regards to your recent FD posts, are you requesting CVEs based on the presence of strings in commit messages such as "null pointer dereference"?
Are you reaching out to each upstream project before assigning a CVE? Do you believe that every null pointer bug is a vulnerability? What impact are you hoping to achieve?
Please reconsider how you are requesting CVEs.CVE assignment based on commit message allows unscrupulous comitters to take advantage of CNAs who do so and _print CVEs_ for their resume.
Kind regards, Mark Esler _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CVEs based on commit messages Mark Esler (Jan 27)