Comments by "Edward Cullen" (@edwardcullen1739) on "CURL Creator Is Sick Of Bogus CVE Security Issues!!" video.

  1. Yeah, clearly the original score was based on "it's a networking tool, therefore max score for network element", which is not how CVSS scores work - this exposure requires existing local access to a machine, so scores 0 on the network element. CVSS is a retarded metric - it's intended for management types, which is a meaningless goal anyway, because "just because it's a 9.8 doesn't mean we need to fix it."
    27
  2. Not withstanding that CVSS is a retarded metric, they haven't even calculated it correctly. To exploit this, one would need existing access to a system - so the network component should score 0, reducing the score dramatically. Just because something interacts with the network doesn't mean that it automatically has a network component. CVEs should require a proven exploit. Sure it negates the E, but logically, almost any design or implementation issue could be classified as an exposure. Something like NVD only works if it has a zero false-positive rate.
    1
  3.  @jakubrogacz6829  LOL. Dynamic loading of code example: C:\MyProgram\MyProgram.exe People really have no idea of reality... If your machine is compromised - malicious code is present - you already lost. Buffer overflow is dynamic loading of code. Closing-off entire useful features is silly - it's better to define how to use it safely, e.g. All dynamically-loaded code MUST be cryptographically verified before being executed. See also "MUST NOT use realloc()" translates into 10,000 MyRealloc implementations with exactly the same signature and semantics. 🤦‍♂️🤦‍♂️
    1