Call it "hardening"? (Or something similar)

It'll acknowledge it has potential for a security flaw, but not enough for
a CVE?

-Tim

On Wed, Jul 15, 2026 at 5:03 AM Mark Thomas <[email protected]> wrote:

> All,
>
> We have had quite a few security reports recently that are technically
> valid vulnerabilities but have pre-requisites that are such that it is
> almost certain no users are impacted by them.
>
> Currently we assign these a severity of LOW. Do we want to handle them
> differently?
>
> Possible options:
> - Don't issue CVEs for these
> - New severity for "Lower than low" name TBD
> - Something else?
>
>

Reply via email to