A CVE Dispute
chmaynard
12 points
1 comment
June 24, 2026
Related Discussions
Found 5 related stories in 118.8ms across 11,536 title embeddings via pgvector HNSW
- Non-determinism is an issue with patching CVEs mathewpregasen · 44 pts · May 08, 2026 · 60% similar
- Mythos Discovered a CVE in Its Training Data – and That's Still Worrying chris_j · 14 pts · May 11, 2026 · 57% similar
- NIST gives up enriching most CVEs mooreds · 189 pts · April 17, 2026 · 57% similar
- CVE-2026-28952: Apple macOS 26.5 Kernel Vuln found by Claude dragonsenseiguy · 118 pts · May 25, 2026 · 56% similar
- GNU IFUNC is the real culprit behind CVE-2024-3094 foltik · 55 pts · May 08, 2026 · 55% similar
Discussion Highlights (1 comments)
TZubiri
Reasonable policy and resolution. Glad Mitre agreed. Daniel refrains from making explicit their speculation as to why the reporting party wanted the CVE assigned. I'll try to make it explicit: The reporter wanted the credit for having discovered a security issue in Curl, they probably don't have many accolades, so this would look great on their resume, blog, linkedin or twitter. It's also deducible that they don't have the skills to find another vuln of the same or higher severity, otherwise they would have spent effort doing that instead of trying to push the one vuln they discovered. So the vuln was found either with AI, or by chance as a user. It's like a reputational beg bounty, a topic which Stenberg has previously covered a lot since AI caused an influx of low quality reports.