Frivolous CVEs aren’t a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn’t a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.
It is WAY better to over report than under report. I don’t want vendors to have a lot of ability to say “nope that’s not a security problem, sweep it under the rug”.
“A liar who lies repeatedly won’t be believed” is definitely equivalent to “A company conservatively warned that one of their products was dangerous in some specific situations.”
That’s… not the point either. The point is that “reporting false positives isn’t a bad thing” is only true up to a point. The discussion is then “is this before or after that point.” Which, given the context of the bug, isn’t really a given. But I don’t want to have that discussion with you anymore because you’re annoying.
Frivolous CVEs aren’t a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn’t a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.
It is WAY better to over report than under report. I don’t want vendors to have a lot of ability to say “nope that’s not a security problem, sweep it under the rug”.
To a point. Ever heard of the boy who cried wolf?
https://lemmy.world/comment/7983817
“What if the boy who cried wolf got lucky and didn’t get eaten in the end”? Seems to have missed the point of the parable a bit.
“A liar who lies repeatedly won’t be believed” is definitely equivalent to “A company conservatively warned that one of their products was dangerous in some specific situations.”
Hanging out with you sounds really fun.
That’s… not the point either. The point is that “reporting false positives isn’t a bad thing” is only true up to a point. The discussion is then “is this before or after that point.” Which, given the context of the bug, isn’t really a given. But I don’t want to have that discussion with you anymore because you’re annoying.
I am annoying, but something being low-risk and not effecting most customers doesn’t make it a “false positive”.
If only we were still having the conversation.