Call it "hardening"? (Or something similar) It'll acknowledge it has potential for a security flaw, but not enough for a CVE?
-Tim On Wed, Jul 15, 2026 at 5:03 AM Mark Thomas <[email protected]> wrote: > All, > > We have had quite a few security reports recently that are technically > valid vulnerabilities but have pre-requisites that are such that it is > almost certain no users are impacted by them. > > Currently we assign these a severity of LOW. Do we want to handle them > differently? > > Possible options: > - Don't issue CVEs for these > - New severity for "Lower than low" name TBD > - Something else? > >
