On Wed, Jul 15, 2026 at 11:03 AM Mark Thomas <[email protected]> wrote: > > All, > > We have had quite a few security reports recently that are technically > valid vulnerabilities but have pre-requisites that are such that it is > almost certain no users are impacted by them. > > Currently we assign these a severity of LOW. Do we want to handle them > differently? > > Possible options: > - Don't issue CVEs for these > - New severity for "Lower than low" name TBD > - Something else?
+1 for no CVE. Hallucinated LLM usage scenarios read like fantasy novels, so if we know for sure they can never happen then it should be rejected. Rémy > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
