Got a bogus CVE? Please share here!
Anyone can request a CVE with no obligation to get in touch with the maintainers. Validation of the vulnerability is done on a cursory level, but of course, this process is not thorough because often validation requires an in-depth understanding and deep knowledge of the tools involved. Triaging the bugs is a time-consuming process that even the biggest companies struggle with in their bug bounty programs.
Mostly, this process works well, and researchers get in touch with maintainers, share PoCs, and, with mutual approval, get CVEs where applicable. Not all bugs even deserve CVEs. With more CVE Numbering Authorities (CNAs) out there to assign CVE IDs and automated tools to scan for these in build pipelines, the problem of fake CVE IDs is becoming quite prominent. My guess on the motivation behind why some companies and individuals try to get such CVEs includes:
- Marketing for (in)security companies by getting their research mentioned by secuity news outlets
- Begbounty
- Boosting resumes
- Deliver malware as PoC for CVE exploits ..
- LLM driven CVEs to present at conferences
- https://github.com/CSIRT-MU/edu-resources
- https://www.hackerone.com/ethical-hacker/useful-online-resources-new-hackers
- https://overthewire.org/wargames/
- https://nostarch.com/catalog/security
- https://owasp.org/
- https://opensourcewatch.beehiiv.com/p/now-postgresqls-turn-bogus-cve
- https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/
- https://keepassxc.org/blog/2023-06-20-cve-202335866/
- https://devblogs.microsoft.com/oldnewthing/20221004-00/?p=107246
- https://hackaday.com/2023/07/07/this-week-in-security-bogus-cves-bogus-pocs-and-maybe-a-bogus-breach/