Comment by duped
2 days ago
One dude running an X account is not indicative of a community to be honest.
That said, that dude has a point. "Researchers" chasing clout with their names attached to CVEs is kind of ridiculous. Half these CVEs are missing bounds checks that can be fixed with a patch in as much effort as writing up the blog post announcing that there was a missing bounds check.
I guess that the perceived problem from a security perspective is that they're there, not that they're necessarily hard to fix once found.
The main beef is the noise created around these disclosures instead of sending patches to fix the bugs.
If you quietly patch the vulnerable software it's unlikely that I will ever hear about the vulnerability. CVE disclosure is important because that's how I learn of security problems in software I critically depend on. It's not merely a service to the maintainers, but to the users who might otherwise critically depend on vulnerable software.