15 Jul 2026 14:35:52 Tim Funk <[email protected]>:

Call it "hardening"? (Or something similar)

It'll acknowledge it has potential for a security flaw, but not enough for
a CVE?

That is the part I struggle with. It is the issues where there is a very slim chance that there would be security consequences for a user. In my mind that needs a CVE. But at the same time I recognise that at least 99.99% users won't be affected therefore we don't want to put them in a position where they need to upgrade (because of their own security policies re CVEs).

Then again, with the current volume of CVEs there are likely to be a couple of genuine LOW or greater severity CVEs anyway so does a handful of lower severity CVEs really change very much?

Maybe we need to document the pre-requisites for being exposed to a CVE more explicitly. But then we run the risk of needing more CVEs if we don't do that correctly.

As you can probably tell, I don't have a clear idea of what I think the right answer is yet.

Mark



-Tim

On Wed, Jul 15, 2026 at 5:03 AM Mark Thomas <[email protected]> wrote:

All,

We have had quite a few security reports recently that are technically
valid vulnerabilities but have pre-requisites that are such that it is
almost certain no users are impacted by them.

Currently we assign these a severity of LOW. Do we want to handle them
differently?

Possible options:
- Don't issue CVEs for these
- New severity for "Lower than low" name TBD
- Something else?



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to