User Story: CVEs that are published by mistake and not revoked

[gyehuda]

As a remediator of vulnerabilities I struggle with disputed CVEs where the status is not clearly indicated because they appear to be problems when they are not. This costs time and creates confusion.

For example CVE-2021-3538 with it's 9.8 Criticality score created quite the scare when I found it associated with a project that processes credit card information. Yet there was no fix available. That was odd -- a 9.8 CVSS score usually get attention, and there was none to be found. Plenty of "security" websites, vendors, blogger, and news aggregators could tell me there was a problem since the CVE program published it and NVD listed it. But one site here indicated that it was a mistake. The "vulnerability" was on a commit that was never merged into the code.

Where's the corresponding cascade of messages that tell me that this super-critical CVE was never a CVE in the first place?