this post was submitted on 26 Aug 2023
83 points (100.0% liked)
Free and Open Source Software
17916 readers
83 users here now
If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
NVD state they task an analyst to review each CVE and assign a score, then do QC to review the analysis before publication.
No one's perfect, but since NVD claim to do QC they should fix their mistakes. So now let's see how they answer to Daniel Stenberg's objection. The publication and objections are recent, it's fair to give them a few days to react.
But if they're giving up on doing proper analysis or QC, and are are just acting as a vulnerability number registry, then they shouldn't publish CVSS values.
Source: CVEs and the NVD Process