Dear Meng Rujie,

In regards to your recent FD posts, are you requesting CVEs based on the presence of strings in commit messages such as "null pointer dereference"?

Are you reaching out to each upstream project before assigning a CVE? Do you believe that every null pointer bug is a vulnerability? What impact are you hoping to achieve?

Please reconsider how you are requesting CVEs.

CVE assignment based on commit message allows unscrupulous comitters to take advantage of CNAs who do so and _print CVEs_ for their resume.

Kind regards,
Mark Esler

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Reply via email to