On 2025-02-18 08:55:55 -0500 (-0500), Roberto C. Sánchez wrote: [...] > In theory, any abnormal program behavior has the potential to carry a > security implication. And in one project I have actually seen where > there was a push to retroactively designate CVEs for past bug fixes that > it turned out had some kind of specific security vulnerability > associated with them. It was very bizarre, and I took it as a sign that > the "everything has to have a CVE and every CVE must be fixed" mentality > is infecting more and more parts of the software development world. [...]
Agreed. In projects where I do vulnerability management work, we've mostly given up pushing back on things others want to file CVEs about in our projects. Our view is that we decide what does and doesn't get an official advisory published, and we'll request a CVE assignment for that ourselves if one hasn't already been issued, but if anyone else wants a CVE for something in our software they can get one themselves and we generally don't have the time or energy to burn on disputing those. If someone comes to us about one of those third-party-issued CVEs not being fixed or fixes for it not getting backported, we remind them that we don't consider it a vulnerability and they're free to take it up with whoever requested or issued it. -- Jeremy Stanley
signature.asc
Description: PGP signature
