Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are other CVE numbering authorities you can report a vulnerability to and apply for a CVE, or appeal, but this does possibly have a chilling effect if the vendor's CNA refuses valid vulns. (Like with MS in https://news.ycombinator.com/item?id=44957454 )

There's an appeals process: https://www.cve.org/Resources/General/Policies/CVE-Record-Di...

And of course CVE is not the only numbering system, there's OSV DB, GHSA, notcve.org etc.



> this does possibly have a chilling effect if the vendor's CNA refuses valid vulns

The Linux kernel went in the opposite direction: Every bugfix that looks like it could be relevant to security gets a CVE[1]. The number of CVEs has increased significantly since it became a CNA.

[1]: https://lwn.net/Articles/978711/


Thanks. They seem to be pretty proactive indeed if you look at the feed: https://lore.kernel.org/linux-cve-announce/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: