Disputing a CVE is no straightforward task either, as a GitHub security team member explained. It requires a project maintainer to chase the CVE Numbering Authorities (CNA) that had originally issued the CVE.
CNAs have conventionally comprised NIST’s NVD and MITRE. Over the past few years, technology companies and security vendors joined the list and are also able to issue CVEs at will.
These seems like an issue worth addressing. If it’s too easy to report and too difficult to dispute, I could see the CVE ecosystem be weaponized and turned into a political tool.
These seems like an issue worth addressing. If it’s too easy to report and too difficult to dispute, I could see the CVE ecosystem be weaponized and turned into a political tool.