|
|
|
|
|
|
by akerl_
238 days ago
|
|
|
> The developer typically defines its threat model. Is this the case? As we're seeing here, getting a CVE assigned does not require input or agreement from the developer. This isn't a bug bounty where the developer sets a scope and evaluates reports. It's a common database across all technology for assigning unique IDs to security risks. The developer puts their software into the world, but how the software is used in the world defines what risks exist. |
|
|