The popular open source project, 'ip' had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects.
  • bl4kers@lemmy.mlEnglish
    24·
    4 months ago

    Disputing a CVE is no straightforward task either, as a GitHub security team member explained. It requires a project maintainer to chase the CVE Numbering Authorities (CNA) that had originally issued the CVE.

    CNAs have conventionally comprised NIST’s NVD and MITRE. Over the past few years, technology companies and security vendors joined the list and are also able to issue CVEs at will.

    These seems like an issue worth addressing. If it’s too easy to report and too difficult to dispute, I could see the CVE ecosystem be weaponized and turned into a political tool.