@bagder "The system is designed for good-faith reporters against bad-faith product organizations."
The tricky part is in the real world there are bad faith actors at both ends. There needs to be some way to determine ground truth of a report without fully trusting either party.
@bagder I fully understand that a bogus claim like this is annoying and stupid. What I don’t fully understand is what negative consequences this has for you as a maintainer? Is it just people panicking because of a „vulnerability“ and you having to deal with it? Or is there more impact from a CVE that I’m not aware of?
@can it is A LOT of people panicking. Lots of (confused) people contacting us for help and support.
We have to spend a lot of time and effort documenting and explaining the NOT vulnerabilities sometimes even more than we spend on actual vulnerabilities.
@bagder At what point do we create a new vulnerability program that open source projects can live with. If the major players agree to this... Actually just the public threat that we will do this may be enough to force some change.
Add comment