What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 18:28:34 GMT

securitym0nkey@infosec.exchange — Tue, 19 May 2026 18:28:34 GMT

@bagder counter question what would be the downsides if we don't? Many organizations already have a hard time dealing with the vulnerability reports. They are drowning already in insignificant CVEs. And the situation isn't getting better. As a result important vulnerabilities aren't addressed as quickly as they could.

But on the other hand it's already questionable what's considered low, medium and high. Official scoring often does not match what an organization would do for themselves.

Whatever you do, for some people it will be negative. You have to balance the equation to be net positive. A really hard one to solve. Maybe even impossible to solve.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 18:22:15 GMT

airtower@woem.men — Tue, 19 May 2026 18:22:15 GMT

@bagder@mastodon.social I've seen security bugs considered lower severity because they affect only uncommon use cases, even if they're serious in those cases. Not assigning CVEs would make those harder to find.

Though, to my great annoyance, I recently found CVEs considered low priority (severity or otherwise) often aren't properly annotated in NVD anyway, which makes them rather useless for automated checks. But that's a problem of the database.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 18:11:15 GMT

kpcyrd@chaos.social — Tue, 19 May 2026 18:11:15 GMT

@bagder Anybody can request a CVE, not just upstream. It's less about project policy, if a real, medium-severity vulnerability doesn't have a CVE assigned, that basically just means nobody was bothered enough to request one.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 17:46:38 GMT

jeroen@secluded.ch — Tue, 19 May 2026 17:46:38 GMT

@bagder Keep an ID, any ID.

I see them as globally unique identifiers that are used in "did you fix this thing" context. As naming things is hard and we will run out of catchy names and logos...

The severity indicates "fix now" or "fix tomorrow" or "next release". Thus the combo Id, severity, mitigatio & fix is important.

Curl could use CURL-SEC-2026-05-ABC and it would be fine too.

I just deployed a modprobe.d line for rds_tcp but no ID yet

/cc @adulau (for soliciting his opinions )
J

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 16:00:31 GMT

rrdot@infosec.exchange — Tue, 19 May 2026 16:00:31 GMT

@kpcyrd @bagder another note is even if a security relevant bug has low or medium significance to the security model of curl, it might still have significance to the security model of systems that use curl. Obviously it's user be ware, but it's harder to make those decisions when you can't easily distinguish between security bugs and other bugs.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:55:07 GMT

rrdot@infosec.exchange — Tue, 19 May 2026 15:55:07 GMT

@kpcyrd @bagder this. If it doesn't matter that we have a common identifier to discuss security relevant bugs, then drop it. Otherwise keep em coming.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:54:19 GMT

bagder@mastodon.social — Tue, 19 May 2026 15:54:19 GMT

@kpcyrd countless projects basically do this already, I don't think the world would fall over. It would be fewer CVEs to care about.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:49:51 GMT

kpcyrd@chaos.social — Tue, 19 May 2026 15:49:51 GMT

@bagder We would need to refer to bugs as "the buffer overflow that's in src/foo/bar.c line 1067 in version 4.5.6, and line 1058 in version 4.5.7" again.

Arch Linux wouldn't care, but it would make the life of Debian maintainers more difficult.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:46:07 GMT

richardoc@infosec.exchange — Tue, 19 May 2026 15:46:07 GMT

@bagder I'd prefer to know what issues exist, even if it's a bit noisier (on the blue team side)
Trying not to normalise the deviance of not fixing issues at my workplace

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:37:38 GMT

bagder@mastodon.social — Tue, 19 May 2026 15:37:38 GMT

@jacques some background: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:36:36 GMT

jacques@mastodon.chester.id.au — Tue, 19 May 2026 15:36:36 GMT

@bagder well now I just feel silly for assuming!

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:26:52 GMT

frummidge@meow.social — Tue, 19 May 2026 15:26:52 GMT

@bagder normalization of deviance, mostly, but it's probably nothing that the industry hasn't encouraged before

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:22:20 GMT

bagder@mastodon.social — Tue, 19 May 2026 15:22:20 GMT

@jacques we don't use CVSS, never did...

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:19:33 GMT

bagder@mastodon.social — Tue, 19 May 2026 15:19:33 GMT

@bms48 @bsdphk C89 is like my backyard and comfort zone. That's where I want to be.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:16:42 GMT

bms48@mastodon.social — Tue, 19 May 2026 15:16:42 GMT

@bsdphk The magic acronyms SAST and DAST post-date the writings of Dr. Jorgensen on Software Testing. And SonarQube might be a bit of a nothingburger if everyone is just using clang-tidy and cppcheck anyway. @bagder How can you maintain cURL as C89 and retain sanity? :^)

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 15:04:43 GMT

icing@chaos.social — Tue, 19 May 2026 15:04:43 GMT

@bagder macOS 15 still has curl 8.7.1. Those CVEs do not seem to have a lot of impact, if you ask me.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:59:17 GMT

jacques@mastodon.chester.id.au — Tue, 19 May 2026 14:59:17 GMT

@bagder I mean CVSS is not a great scheme for ranking anyhow. Even v4 has the core problems of v3 (IMO)

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:41:46 GMT

bsdphk@fosstodon.org — Tue, 19 May 2026 14:41:46 GMT

@bagder

A lot of "security researchers" would be sad that they couldn't pad their resumes with more CVE numbers ?

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:32:56 GMT

paulos@infosec.exchange — Tue, 19 May 2026 14:32:56 GMT

@Ellie Indeed, and it also depends on the specific environment. In one of recent talks I've been to, it was mentioned that the medium severity CVEs, after analysis, had sometimes bigger impact than the high/critical ones. So I guess it really depends. But it won't be pretty regardless. @bagder

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:31:33 GMT

illuzive@indieweb.social — Tue, 19 May 2026 14:31:33 GMT

@bagder I guess the scale would change. What's HIGH now, would end up on the LOW end of the remaining interval.. possibly resulting in people ignoring the issues.

I have faith in people messing this up, if given the opportunity.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:24:13 GMT

xan@xantronix.social — Tue, 19 May 2026 14:24:13 GMT

@bagder uhh, you sleep? that kinda seems like an upside though so it's impossible to say

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:20:00 GMT

ellie@darmstadt.social — Tue, 19 May 2026 14:20:00 GMT

@bagder Eliminating low and medium CVEs wouldn't actually make software safer; it would just blindfold defenders. It turns out that a lot of "minor" leaks can still sink the ship if they are left unmonitored.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:19:35 GMT

claus@hachyderm.io — Tue, 19 May 2026 14:19:35 GMT

@bagder it'd create a corollary for "if everything is urgent, then nothing is urgent": if low and medium severity bugs are ignored, then more bugs will be classified as high/critical.

Reply to What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy? on Tue, 19 May 2026 14:18:32 GMT

joshbressers@infosec.exchange — Tue, 19 May 2026 14:18:32 GMT

@bagder Probably none

Attackers can sometimes chain lower severity bugs together to do something interesting, but the reality is everyone is drowning in vulnerabiliites right now

Everyone has already written off Low and Medium as "don't care"