Sivan Nir

A failure to report high-severity vulnerabilities often happens with open-source projects — vulnerabilities are discovered, disclosed to relevant parties and (hopefully) fixed without anyone filing a CVE request. It usually boils down to a lack of awareness or is viewed as overly burdensome to submit the CVE request. In 2017, around 7,000 CVE-IDs assigned by the CVE Numbering Authorities (CNAs) has a reserved status where an ID is allocated but not updated with important details. This is especially surprising considering that 1,342 of them had already been publicly disclosed, and thus more likely to have exploits developed. This practice of…