Security News > 2024 > June > Dev rejects CVE severity, makes his GitHub repo read-only
Fedor Indutny, due to a CVE report filed against his project, started getting hounded by people on the internet bringing the vulnerability to his attention.
In recent times, open-source developers have been met with an uptick in receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation.
Although Indutny had already fixed the issue in later versions of his project, he disputed that the bug constituted an actual vulnerability and that too of an elevated severity.
Following Indutny's post on social media, GitHub lowered the severity of the CVE in their database and suggested the developer turn on private vulnerability reporting to better manage incoming reports and cut noise.
The CVE system, originally designed to help security researchers ethically report vulnerabilities in a project and catalog these after responsible disclosure, has lately attracted a segment of community members filing unverified reports.
Another npm project, micromatch which gets 64 million weekly downloads has had 'high' severity ReDoS vulnerabilities reported against it with its creators being chased by community members inquiring about the issues.