Ask HN: Dealing with Fraudulent CVEs?

6 points

2 years ago

One of my open-source projects was hit by a "CVE fraudster" -- a spam account that files bogus CVEs with questionable repros for various repos that haven't had a ton of activity or maintainer bandwidth [0]. The account that reported the CVEs has also targeted a number of other repos, filing CVEs with reproductions that don't even run [1].

Is there any recourse for "false" CVEs"? The CVE system appears to be based on the honour system, which means that taking down false CVEs is impossible.

Has anyone successfully challenged a CVE and had it removed as fraudulent?

The CVE is question is https://nvd.nist.gov/vuln/detail/CVE-2023-33289, and the URL purported to be a "DoS" is provably _not_ an issue.

[0] https://gist.github.com/6en6ar

[1] https://gist.github.com/6en6ar/a4977866c59cbcfc716f0f2717b812bf