undefined | Better HN

0 pointstptacek5y ago0 comments

My basic take is: if "CVE stuffing" bothers you, really the only available solution is to stop being bothered by it, because the incentives don't exist to prevent it. People submitting bogus or marginal CVEs are going to keep doing that, and CNAs aren't staffed and funded to serve as the world's vulnerability arbiters, and even if they were, people competent to serve in that role have better things to do.

The problem is the misconception ordinary users have about what CVEs are; the abuses are just a symptom.

0 comments

currymj5y ago

I suspect for both peer review and CVEs, and probably some similar situations I'm not thinking of, it's not just a misconception, it's often more like wishful thinking.

People really want there to be a way of telling what's good and important that doesn't cost them any money or effort. Ironically these systems can sort-of work for that purpose, only if people don't try to use them for that purpose.

astrobe_5y ago

I think both are instances of Goodhart-Campbell-Strathern's law: "When a measure becomes a target, it ceases to be a good measure."

j / k navigate · click thread line to collapse