| > ... why are CVEs that are just packages of software being accepted to the CVE database anyways? Ultimately, because there are now a few hundred [0] CNAs [1] which are "authorized to assign CVE IDs" and, AFAICT, there is nothing in the "CNA rules" [2] that requires them to (attempt to) verify the (alleged) vulnerabilities -- although, in at least some instances, I assume it simply wouldn't be possible for them to do so. -- > 7.1 What Is a Vulnerability? > The CVE Program does not adhere to a strict definition of a vulnerability. For the most part, CNAs are left to their own discretion to determine whether something is a vulnerability. [3] Officially, a "vulnerability" is: > A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components. Fortunately, there is a "Process to Correct Assignment Issues or Update CVE Entries" [5]. In instances of multiple, "duplicate" or "invalid" CVEs, I can see how this might be both frustrating and time-consuming for software developers, though. -- [0]: https://cve.mitre.org/cve/request_id.html [1]: https://cve.mitre.org/cve/cna.html [2]: https://cve.mitre.org/cve/cna/rules.html [3]: https://cve.mitre.org/cve/cna/rules.html#section_7-1_what_is... [4]: https://cve.mitre.org/about/terminology.html#vulnerability [5]: https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_... |