Julian Foad wrote on Wed, 28 Aug 2019 11:41 +00:00: > * Drop the CVE? (steps 8, 15, 16) > > For cases that are not looking like a very high severity, we could > omit the CVE process and much of the formal description associated with > it. CVEs are a Good Thing, but they do require extra effort and we don't > have to do that for every vulnerability. > > Instead, on a case by case basis, we could choose to omit the CVE > (even drop it after initially requesting one) and summarize the issue at > a lesser level of detail.
I don't follow. There is a distinction between "the issue has a CVE name", "the issue has an advisory", and "the issue's fixed is developed on private@ [using either the security-by-obscurity process or the confidential process]". Which of these three do you propose to do away with?
