Thanks for the link. I'm aware of curl's position on this but I haven't seen my own viewpoint so succinctly echoed in writing before; I'll definitely keep this on hand for future conversations!
Also interesting recommendations, I haven't heard of them either. One problem, having not tried any of these, is that if the "loud" mechanism (e.g. npm's audit tool) doesn't also check and reconcile, then it really doesn't do much good.
The people that open the issues and don't generally know what CVSS is, are not otherwise checking these databases first (oftentimes not even checking for duplicate issues, to begin with). Unless I can revoke a CVE or at least put in a correction, it will remain broken. Simple as that.
> The people that open the issues and don't generally know what CVSS is, are not otherwise checking these databases first
Add a notice to the issue template checklist to check the database. Maybe link to a wiki page that illustrates how. Mercilessly issue temporary bans for violations.
This is a spam issue plain and simple even if the perpetrator didn't intend it that way.
Also interesting recommendations, I haven't heard of them either. One problem, having not tried any of these, is that if the "loud" mechanism (e.g. npm's audit tool) doesn't also check and reconcile, then it really doesn't do much good.
The people that open the issues and don't generally know what CVSS is, are not otherwise checking these databases first (oftentimes not even checking for duplicate issues, to begin with). Unless I can revoke a CVE or at least put in a correction, it will remain broken. Simple as that.