(no title)

> One for every bug fix going into the kernel, rendering the CVE system useless.

That is not what they're doing at all, things get CVEs by a small 3 people committee judging on whether it may reasonably have security impact.

If this is rendering CVEs useless to you, then you were misusing CVEs to begin with. CVEs are identifiers. The fact that an identifier is assigned does not mean anything about whether the security issue is real and/or its severity. Assigning an ID was meant to help discussing things, including determining whether it is in fact a security issue.

Not really what's going on here.

It's only when they can't be sure there are not security implications. After all they don't try to build all combinations and so on.

k so I'm writing a blog post on the whole #Linux Kernel #CVE/#CNA thing. And I actually looked at the data. For those of you complaining about the Linux Kernel issuing improper CVEs my response is "cool. If they're not security vulns get them rejected".

So far in 2024 the Linux Kernel error rate is 3.21%.

Is that bad or good?

Let's compare to the top 25 CNA's by error rate for 2024:

f5 49.32%

atlassian 44.44%

Esri 43.75%

freebsd 40.00%

canonical 32.61%

Gallagher 25.00%

SNPS 25.00%

intel 19.74%

Anolis 18.75%

Dragos 18.18%

rapid7 14.29%

@huntr_ai 12.27%

Google 10.00%

directcyber 8.33%

CERTVDE 8.11%

Go 7.69%

lenovo 6.25%

mitre 5.53%

schneider 4.35%

GitHub_P 4.35%

Fluid Attacks 4.35%

Wordfence 3.56%

Linux 3.21%

snyk 2.94%

So... Linux is in at 24th place for error rate. But wait, surely those numbers are skewed towards some smaller CNAs that reject a handful of issues driving up their error rate?

Nope. Several of the mature CNAs like F5, Atlassian, Canonical, Google, Intel, Red Hat, Lenovo, MITRE all issue tens to hundreds to thousands of CVEs a year and have much higher error rates. Actually the worst CNA by raw numbers is MITRE (159).

Spamming this multiple times since people don't seem to read.