Kogasa

I do not know what that means

If only we were still having the conversation.

That’s… not the point either. The point is that “reporting false positives isn’t a bad thing” is only true up to a point. The discussion is then “is this before or after that point.” Which, given the context of the bug, isn’t really a given. But I don’t want to have that discussion with you anymore because you’re annoying.

“What if the boy who cried wolf got lucky and didn’t get eaten in the end”? Seems to have missed the point of the parable a bit.

I didn’t say the CVE was valid. I explained why it was a mistake. I didn’t say “disclosing security bugs” is, in general, a bad thing, I said raising undue alarm about a specific class of bugs is bad. It’s not a matter of “less or more information,” because as I said, a CVE is not a bug report. It is not simply “acknowledgment of information.” If you think my argument has no merit and there is no reason why “more information” could be worse, you’re free to talk to someone who gives a shit.

Uh, no. But thanks for guessing. It’s frivolous because it violates several principles of responsible disclosure. Yes, the scope of impact is relevant; the availability of methods of remediation is relevant; and the development/patch lifecycle is relevant. The feature being off-by-default and labeled experimental are indirect references to the scope of impact and availability of remediation, and the latter is an indirect reference to the state of development lifecycle. Per the developer(s)’ words, this is a bug that had limited risk and was scheduled to be fixed as part of the normal development schedule. Escalating every such bug, of which the vast majority go without a CVE, would quickly drown out notices that people actually care about. A CVE is not a bug report.

It’s not worthy of a CVE and whether it applies to me is irrelevant. I didn’t say a CVE is a black mark. Frivolous reporting of CVEs damages trust in the usefulness of the system in identifying critical vulnerabilities. This is a known issue related to resumé padding by newcomers to the cybersecurity industry.

To a point. Ever heard of the boy who cried wolf?

Frivolous CVEs aren’t a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn’t a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.