Unverified CVE reports can lead to unwarranted panic among users, alerts from security scanners, and headaches for developers. Disputing a CVE is challenging, requiring project maintainers to chase the CVE Numbering Authorities that issued the CVE. The CVE system, originally designed for ethical reporting, has attracted community members filing unverified reports, causing distractions for developers and potentially discrediting the CVE system.
CVEs filed by inexperienced security enthusiasts can lead to several issues. Firstly, they can create a significant amount of noise, forcing developers to spend time triaging and addressing non-critical or non-existent vulnerabilities. This can lead to alert fatigue and burnout. Secondly, if these CVEs are integrated into automated security tools, they can trigger unnecessary alerts or actions, potentially disrupting operations. Lastly, the credibility of the CVE system may be undermined if it becomes flooded with exaggerated or irrelevant vulnerabilities.
Fedor Indutny made his GitHub repo read-only due to a CVE report filed against his project, which led to people constantly messaging him about the vulnerability. This caused unnecessary panic among users and generated alerts from security scanners, becoming a source of headache for the developer.