One of my open-source projects was hit by a "CVE fraudster" -- a spam account that files bogus CVEs with questionable repros for various repos that haven't had a ton of activity or maintainer bandwidth [0]. The account that reported the CVEs has also targeted a number of other repos, filing CVEs with reproductions that don't even run [1].
Is there any recourse for "false" CVEs"? The CVE system appears to be based on the honour system, which means that taking down false CVEs is impossible.
Has anyone successfully challenged a CVE and had it removed as fraudulent?
The CVE is question is https://nvd.nist.gov/vuln/detail/CVE-2023-33289, and the URL purported to be a "DoS" is provably _not_ an issue.
[0] https://gist.github.com/6en6ar
[1] https://gist.github.com/6en6ar/a4977866c59cbcfc716f0f2717b812bf