Will DormannMay 27

In today's episode of "CVE is a disaster":

Anthropic has published a cordinated vulnerability disclosure dashboard for their findings.

Vulnerabilities disclosed: 1596
Vulnerabilities patched: 97
Assigned a CVE or a GHSA: 88
...
CVE COUNT for 1596 disclosed vulnerabilities: 14

If something has an adoption rate of less than 1%, what do you call it?

Edit: Apparently Anthropic doesn't know what the word "disclosed" means. In their article about Coordinated Vulnerability Disclosure, Anthropic uses "disclosed" to mean "reported" (to the maintainer). In which case we'd have a 14% success rate for CVE.

Show threadDr. Christopher KunzMay 27
@wdormann Uh, not that it matters much if it's 1% or more, but the 14 CVE IDs on the dashboard are the _disclosed_ CVEs, there are more. Quote: "The records below are publicly available. The remainder are reserved, pending publication by the assigning authority."
Show threadWill DormannMay 27
@christopherkunz
A public (disclosed) vulnerability warrants a public CVE. Reserved CVEs benefit no one.
Show threadDr. Christopher KunzMay 27

@wdormann As far as I understand, the gross number of 1596 reported findings are at least in the "disclosed to maintainer" state of the process and not necessarily public yet. On the contrary, it would seem that most vulns aren't even patched yet.

To that end, one could claim that "upstream patching is a disaster", because 97/1451 ~ 6% is not a great look.

Of those 97 vulns, 90% got a CVE/GHSA. Which seems like an OK rate.

I also wonder why four bugs never got a severity rating.

Show threadWill Dormann
@christopherkunz
If so, it's weird to do a blog post about Coordinated Vulnerability Disclosure without understanding what the word "disclosed" means. 😂
May 27 at 2:06pmWeb
Show threadDr. Christopher KunzMay 27
@wdormann Yeah, the whole post screams "AI generated" and they use "disclosed" in an ambivalent fashion. What they mean is "someone downstream from Anthropic and the validating security dudes knows about it".
Also, there's literally no mention what happened to the 19990 "candidates" that were neither directly reported downstream nor validated by the validation dudes.
It's all very... typical of what I'd expect from an Anthropic blog tbh.