daniel:// stenberg://4d ago

a CVE dispute. What a great system.

https://daniel.haxx.se/blog/2026/06/24/a-cve-dispute/

a CVE dispute

A few years years ago the curl project signed up and became a CNA. This means that we are masters of and can allocate our own CVE identifiers. For any security problems within our territory, it is we who decides if the issue should get a CVE our not. No more bogus CVEs. 57 CVEs … Continue reading a CVE dispute →

daniel.haxx.se
Show threadMaster of Potate 🥔4d ago
@bagder Do you get something if you find a CVE worthy bug?
Show threaddaniel:// stenberg://4d ago
@chris yes, you get that awesome sensation that you help improving curl and a thank you and credits in the advisory
Show threadMaster of Potate 🥔4d ago
@bagder Ah. I was just wondering why someone would be so instant that the bug got a CVE. It sounds annoying. I hate explaining myself multiple times without a feedback.
Show threadfraggLe!

@chris @bagder There's a meme going around that CVEs are resume/CV fodder for budding hackers looking to break into infosec.

Maybe I'm biased because nothing I reported publicly ended up with a CVE, but if I'm hiring I'll look at research and judge it on its merits, not whether it got assigned a CVE or not.

Jun 24 at 9:56pmWeb
Show threadWolf480pl4d ago
@fwaggle
what if HR comes to you and says "I have 100 applicants for this position, and I suspect most of them are severely underqualified. How do I filter out the obviously underqualified ones so that I can give you a managable number of candidates for technical interview?"
@chris @bagder
Show threadfraggLe!4d ago

@wolf480pl @chris @bagder I don't know a generic answer to that question, we've had a few situations like that where we can give TA specific things to ask about (all specific to our org and the role), but I don't think a CVE being assigned to the applicant is particularly helpful there though?

Not sure I'd want to work for any org with "at least x CVEs to ride" as part of the hiring process, but I can afford to be picky right now.