15 Jul 2026 14:35:52 Tim Funk <[email protected]>:
Call it "hardening"? (Or something similar)
It'll acknowledge it has potential for a security flaw, but not enough
for
a CVE?
That is the part I struggle with. It is the issues where there is a very
slim chance that there would be security consequences for a user. In my
mind that needs a CVE. But at the same time I recognise that at least
99.99% users won't be affected therefore we don't want to put them in a
position where they need to upgrade (because of their own security
policies re CVEs).
Then again, with the current volume of CVEs there are likely to be a
couple of genuine LOW or greater severity CVEs anyway so does a handful
of lower severity CVEs really change very much?
Maybe we need to document the pre-requisites for being exposed to a CVE
more explicitly. But then we run the risk of needing more CVEs if we
don't do that correctly.
As you can probably tell, I don't have a clear idea of what I think the
right answer is yet.
Mark
-Tim
On Wed, Jul 15, 2026 at 5:03 AM Mark Thomas <[email protected]> wrote:
All,
We have had quite a few security reports recently that are technically
valid vulnerabilities but have pre-requisites that are such that it is
almost certain no users are impacted by them.
Currently we assign these a severity of LOW. Do we want to handle them
differently?
Possible options:
- Don't issue CVEs for these
- New severity for "Lower than low" name TBD
- Something else?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]