@loke right, there's no way we can prevent this from happening. You could *possibly* argue that the API is a little fragile designed here, but that's a decision we took 25 years ago so a little late to change now.

And yeah, I think the reporter here did not actually read the documentation properly or perhaps not not properly understand it.

I'd go as far as suggesting that security reports that assumes that the product being reported is used wrongly should not be CVE worthy at all.

I could see a case being made for some kind of advisory, similar to CWE's, but relating to specific products: "how to avoid common security issues when using the curl API" or something like that.

But CVE's should always assume that the product is used correctly. I believe that a majority of the noise in the CVE ecosystem comes from reports assuming that the product is used incorrectly.

Yes, and you can enforce that by being a CVE authority, no?

Sadly, the in general, this is not enforced, and it causes a lot of work for downstream consumers of CVE data. The more I work with CVE data, the more frustrated I get. At least when it's a curl issue, I know I can take it seriously.