this post was submitted on 26 Aug 2023
83 points (100.0% liked)
Free and Open Source Software
17937 readers
151 users here now
If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The author has a point that the NVD has no clue about the security implications of a bug. But can we really expect them to? At a conservative guess, I’d say there are millions of pieces of code floating around. Should the NVD be deeply involved in all of them just to provide the most accurate security score? That’s an impossible ask.
The author also takes issue with the NVD’s stance that they cannot just trust any dude’s email. Is that not a fair take? “Trust me. I’m the maintainer of this project. Do as I say.” Should the NVD now also check each and every email they receive for forgeries? Should they assume that the author of the email would write an assessment in good faith and not downplay a real threat because it looks bad for their project?
(That quote is from another of his blog posts.) Now this is really ludicrous in my opinion. You cannot expect any outsider to read the internals of “over 160,000 lines of feature packed C code (excluding blank lines)” to verify a claim. There is simply not enough time on the NVD’s hands.
I’m happy I learned something about these magical CVE numbers. My takeaway from this is: The database is good, the scores may not be.
You got a point with NVD but this case shows how one could damage the reputation of a product - this really looks like Bagder didnt care about security, even the 2020 prefix is a bad sign looking from the outside. I am not sure how the NVD define CVE scores but as bagder openly explains this isnt a flaw in security, just a bug he already fixed years ago.