CVEs based on commit messages

[Mark Esler <mark.esler () canonical com>]

Dear Meng Rujie,

In regards to your recent FD posts, are you requesting CVEs based on the 
presence of strings in commit messages such as "null pointer dereference"?

Are you reaching out to each upstream project before assigning a CVE? Do 
you believe that every null pointer bug is a vulnerability? What impact 
are you hoping to achieve?

Please reconsider how you are requesting CVEs.

CVE assignment based on commit message allows unscrupulous comitters to 
take advantage of CNAs who do so and _print CVEs_ for their resume.

Kind regards,
Mark Esler

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/