Reasonable policy and resolution. Glad Mitre agreed.
Daniel refrains from making explicit their speculation as to why the reporting party wanted the CVE assigned. I'll try to make it explicit:
The reporter wanted the credit for having discovered a security issue in Curl, they probably don't have many accolades, so this would look great on their resume, blog, linkedin or twitter.
It's also deducible that they don't have the skills to find another vuln of the same or higher severity, otherwise they would have spent effort doing that instead of trying to push the one vuln they discovered. So the vuln was found either with AI, or by chance as a user.
It's like a reputational beg bounty, a topic which Stenberg has previously covered a lot since AI caused an influx of low quality reports.
Reasonable policy and resolution. Glad Mitre agreed.
Daniel refrains from making explicit their speculation as to why the reporting party wanted the CVE assigned. I'll try to make it explicit:
The reporter wanted the credit for having discovered a security issue in Curl, they probably don't have many accolades, so this would look great on their resume, blog, linkedin or twitter.
It's also deducible that they don't have the skills to find another vuln of the same or higher severity, otherwise they would have spent effort doing that instead of trying to push the one vuln they discovered. So the vuln was found either with AI, or by chance as a user.
It's like a reputational beg bounty, a topic which Stenberg has previously covered a lot since AI caused an influx of low quality reports.