@Sempf - Would NVD be a venue for credit-seeking if they ever did proper evaluation of reports instead of slapping CVSS 9.8 on any report including the world "overflow"? Or if there was a proper process for getting CVE's rejected/updated (see
https://daniel.haxx.se/blog/2024/02/21/disputed-not-rejected/)? Blame the process, not the people!
- Do people monetizing their vulns on "the Dark Web" also request CVE's for them? That's new!
- If someone wants a bounty they will have to go through a proper evaluation process before any chance of a CVE being assigned by the vendor. The reporter can request one of course (see my first point), but that's not relevant from monetary perspective.
The article also elegantly ignores the Linux kernel CNA, that literally spams the CVE database these days...