Free and Open Source Software

17916 readers

83 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]

CVE-2020-19909 is everything that is wrong with CVEs (wetdry.world)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

CVE-2020-19909 is everything that is wrong with CVEs

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

@foss

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago)

NVD state they task an analyst to review each CVE and assign a score, then do QC to review the analysis before publication.

No one's perfect, but since NVD claim to do QC they should fix their mistakes. So now let's see how they answer to Daniel Stenberg's objection. The publication and objections are recent, it's fair to give them a few days to react.

But if they're giving up on doing proper analysis or QC, and are are just acting as a vulnerability number registry, then they shouldn't publish CVSS values.

NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements

CVSS V3.1 exploitability and impact metrics are assigned based on publicly available information and the guidelines of the specification.

Analysis results are given a quality assurance check by another more senior analyst prior to being published to the website and data feeds.

Source: CVEs and the NVD Process