On Wed, Jul 15, 2026 at 11:03 AM Mark Thomas <[email protected]> wrote:
>
> All,
>
> We have had quite a few security reports recently that are technically
> valid vulnerabilities but have pre-requisites that are such that it is
> almost certain no users are impacted by them.
>
> Currently we assign these a severity of LOW. Do we want to handle them
> differently?
>
> Possible options:
> - Don't issue CVEs for these
> - New severity for "Lower than low" name TBD
> - Something else?

+1 for no CVE. Hallucinated LLM usage scenarios read like fantasy
novels, so if we know for sure they can never happen then it should be
rejected.

Rémy

> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to