• Kogasa@programming.dev
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    10 months ago

    I didn’t say the CVE was valid. I explained why it was a mistake. I didn’t say “disclosing security bugs” is, in general, a bad thing, I said raising undue alarm about a specific class of bugs is bad. It’s not a matter of “less or more information,” because as I said, a CVE is not a bug report. It is not simply “acknowledgment of information.” If you think my argument has no merit and there is no reason why “more information” could be worse, you’re free to talk to someone who gives a shit.

    • SexyVetra@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      10 months ago

      lol and you said you weren’t big mad.

      It’s not a matter of “less or more information[…]”

      Escalating every such bug […] would quickly drown out notices that people actually care about.

      If your argument is that a specific class of security bugs aren’t worth CVEs, then make that argument. Instead, you’re saying the CVE isn’t valid and making an argument about the risk assessment and development lifecycle (as if those aren’t part of a CVE) and not the class of security bug.

      I have, this entire time, said it’s a valid CVE that you don’t care about and that you shouldn’t be working as a cybersecurity professional. You have conceded the first point and continued to demonstrate the later.