What would be the biggest downside if we just stopped considering severity low or medium security bugs CVE worthy?

@bagder Probably none

Attackers can sometimes chain lower severity bugs together to do something interesting, but the reality is everyone is drowning in vulnerabiliites right now

Everyone has already written off Low and Medium as "don't care"

@mattblaze @robpike hey now. It’s TWO resistors!

@ariadne @ireneista bUt tHeRe iZ nO gRaViTy iN sPaCE!!!!!!!!

@andrewnez

Hahahahaha

Chef's Kiss!

@adamshostack @andrewnez

I can only assume it was 1-2-3-4-5

@adamshostack @andrewnez

This is an important detail, the one of the best episode endings of all time

@andrewnez

This is a good analogy

HOWEVER

Time to nitpick your Star Trek facts!!!

Kirk didn't have Scotty beam the tribbles to the ship, Scotty did that on his own, then nobody wanted to tell Kirk how they solved the problem

This feels like a lot of modern supply chain activities

@ra6bit @ariadne @gregkh @wdormann @Viss @andrewnez @Di4na

It's a very valid question that gets asked quite a bit

It *seems* like it's something should work. But sadly it doesn't

@siddhesh_p @gregkh @wdormann @Viss

Every project is really its own ecosystem

I think glibc does a really good job with CVEs

But I suspect if you go from 12 a year to 12 a month your process will have to change

It's possible you would adopt the "give it a CVE and move on" approach, or because there is so much attention from the distros you could get some extra help to deal with the volume

@ancoghlan

I'm not opposed to a company employing people at a given project to get some advanced notice

The devil is in the details, but I think in many cases it could work

@Le_suisse @ariadne @gregkh @wdormann @Viss @andrewnez @Di4na

Yes! The #GCVE folks are really on the ball about all this

I would be willing to bet a milkshake they will be one of the more authoritative sources in the future

@ra6bit @ariadne @gregkh @wdormann @Viss @andrewnez @Di4na

Every single time an open source database has been tried it has failed spectacularly. For whatever reason the consumers of that data take and give nothing back then the project dies

@Di4na @gregkh @wdormann @corsac @Viss

Yeah, this

Which then goes back to your comments about our tooling being horrid and makes updates slow and painful

@gregkh @wdormann @Viss

This post got into my head. I think you're right, the days of coordination are over

So I wrote it down
https://opensourcesecurity.io/2026/05-vulnerability-economics/

@gregkh @deftpunk @wdormann @Viss

I do think signaling intent to publish a website and make noise falls under a proper disclosure plan

@gregkh @deftpunk @wdormann @Viss

You said this wasn't reported to the kernel security team

From where I sit (and I'm not in the middle of this) it seems like if you plan to make a website and give something a name, tell the securiy team

If you're OK with the current process though I shall trust you on this, you're the expert, I'm just the peanut gallery

@gregkh @deftpunk @wdormann @Viss

I do wonder sometimes how many of those CVEs you file could be a privilege escalation with a proper reproducer

I'm sure it's not zero

@Di4na @gregkh @deftpunk @wdormann @Viss

That's also a good point

It's extra frustrating when there's nothing us unwashed masses can do except wait

@wdormann @gregkh @deftpunk @Viss

Ugh, I misread your 14 as a 4 it seems

14 is still pretty good for most things, I won't argue about that

@wdormann @gregkh @deftpunk @Viss

I'm too far removed to know all the process now

4 days is pretty good, yeah