What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder Eliminating low and medium CVEs wouldn't actually make software safer; it would just blindfold defenders. It turns out that a lot of "minor" leaks can still sink the ship if they are left unmonitored.
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder uhh, you sleep? that kinda seems like an upside though so it's impossible to say
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder I guess the scale would change. What's HIGH now, would end up on the LOW end of the remaining interval.. possibly resulting in people ignoring the issues.
I have faith in people messing this up, if given the opportunity.
-
@bagder Eliminating low and medium CVEs wouldn't actually make software safer; it would just blindfold defenders. It turns out that a lot of "minor" leaks can still sink the ship if they are left unmonitored.
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
A lot of "security researchers" would be sad that they couldn't pad their resumes with more CVE numbers ?
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder I mean CVSS is not a great scheme for ranking anyhow. Even v4 has the core problems of v3 (IMO)
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder macOS 15 still has curl 8.7.1. Those CVEs do not seem to have a lot of impact, if you ask me.
-
A lot of "security researchers" would be sad that they couldn't pad their resumes with more CVE numbers ?
-
-
@bagder I mean CVSS is not a great scheme for ranking anyhow. Even v4 has the core problems of v3 (IMO)
@jacques we don't use CVSS, never did...
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder normalization of deviance, mostly, but it's probably nothing that the industry hasn't encouraged before
-
@jacques we don't use CVSS, never did...
@bagder well now I just feel silly for assuming!
-
@bagder well now I just feel silly for assuming!
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder I'd prefer to know what issues exist, even if it's a bit noisier (on the blue team side)
Trying not to normalise the deviance of not fixing issues at my workplace -
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.
Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.
-
@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.
Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.
@kpcyrd countless projects basically do this already, I don't think the world would fall over. It would be fewer CVEs to care about.
-
@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.
Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.
-
@kpcyrd @bagder another note is even if a security relevant bug has low or medium significance to the security model of curl, it might still have significance to the security model of systems that use curl. Obviously it's user be ware, but it's harder to make those decisions when you can't easily distinguish between security bugs and other bugs.
-
What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?
@bagder Keep an ID, any ID.
I see them as globally unique identifiers that are used in "did you fix this thing" context. As naming things is hard and we will run out of catchy names and logos...
The severity indicates "fix now" or "fix tomorrow" or "next release". Thus the combo Id, severity, mitigatio & fix is important.
Curl could use CURL-SEC-2026-05-ABC and it would be fine too.
I just deployed a modprobe.d line for rds_tcp but no ID yet
/cc @adulau (for soliciting his opinions
)
J -
@kpcyrd countless projects basically do this already, I don't think the world would fall over. It would be fewer CVEs to care about.
@bagder Anybody can request a CVE, not just upstream. It's less about project policy, if a real, medium-severity vulnerability doesn't have a CVE assigned, that basically just means nobody was bothered enough to request one.
