A CVE Dispute
daniel.haxx.seReasonable policy and resolution. Glad Mitre agreed.
Daniel refrains from making explicit their speculation as to why the reporting party wanted the CVE assigned. I'll try to make it explicit:
The reporter wanted the credit for having discovered a security issue in Curl, they probably don't have many accolades, so this would look great on their resume, blog, linkedin or twitter.
It's also deducible that they don't have the skills to find another vuln of the same or higher severity, otherwise they would have spent effort doing that instead of trying to push the one vuln they discovered. So the vuln was found either with AI, or by chance as a user.
It's like a reputational beg bounty, a topic which Stenberg has previously covered a lot since AI caused an influx of low quality reports.
Thus CVE = Curriculum Vitae Enhancement. Have run into quite a lot of those.
A lesser one is where someone is obsessed with a particular issue and tries to find it in every piece of code they look at, even if it means modifying the code to create it or imagining its presence in the code. Run into some of those as well.
Trying to dispute stuff like this is an exercise in frustration. I know of several OSS maintainers who just take the hit and report the imaginary vulnerability as fixed in order to make the thing go away.