HN2new | past | comments | ask | show | jobs | submitlogin

You will note the Linux kernel is not crying on Twitter when Google submits bugs to them. They did long ago, then realized that the bugs that Google reported often showed up exploited in the wild when they didn’t fix them, and mostly decided that the continuous fuzzing was actually a good thing. This is despite not all the bugs being fixed on time (there are always new OSSFuzz bugs in the queue for fixing).


The Linux kernel instead decided to become a CVE authority, so that they have control over what is officially reported as a CVE.


There are other CVE numbering authorities you can report a vulnerability to and apply for a CVE, or appeal, but this does possibly have a chilling effect if the vendor's CNA refuses valid vulns. (Like with MS in https://hackernews.hn/item?id=44957454 )

There's an appeals process: https://www.cve.org/Resources/General/Policies/CVE-Record-Di...

And of course CVE is not the only numbering system, there's OSV DB, GHSA, notcve.org etc.


> this does possibly have a chilling effect if the vendor's CNA refuses valid vulns

The Linux kernel went in the opposite direction: Every bugfix that looks like it could be relevant to security gets a CVE[1]. The number of CVEs has increased significantly since it became a CNA.

[1]: https://lwn.net/Articles/978711/


Thanks. They seem to be pretty proactive indeed if you look at the feed: https://lore.kernel.org/linux-cve-announce/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: