daniel:// stenberg://5d ago

a CVE dispute. What a great system.

https://daniel.haxx.se/blog/2026/06/24/a-cve-dispute/

a CVE dispute

A few years years ago the curl project signed up and became a CNA. This means that we are masters of and can allocate our own CVE identifiers. For any security problems within our territory, it is we who decides if the issue should get a CVE our not. No more bogus CVEs. 57 CVEs … Continue reading a CVE dispute →

daniel.haxx.se
Show threadMaster of Potate 🥔5d ago
@bagder Do you get something if you find a CVE worthy bug?
Show threaddaniel:// stenberg://5d ago
@chris yes, you get that awesome sensation that you help improving curl and a thank you and credits in the advisory
Show threadMaster of Potate 🥔5d ago
@bagder Ah. I was just wondering why someone would be so instant that the bug got a CVE. It sounds annoying. I hate explaining myself multiple times without a feedback.
Show threaddaniel:// stenberg://
@chris I cannot explain why they pushed for this so hard.
Jun 24 at 9:50pmWeb
Show threadViolet/Multi (migrated account)5d ago
@bagder @chris Anecdote: A friend recently handled a security report in a popular free project; they don't assign CVEs ever. The reporter insisted on receiving one to build recognition for their CV
Show threadspartanatreyu4d ago
@bagder @chris My guess is resume padding