M
@GossiTheDog Makes sense to me.
CVE are regularly used to actually block deployment pipelines, which is a useful function for mitigating supply chain vulnerabilities.
More generally, I wouldn't want to be forced to distinguish between active and passive threats and then not be able to label the active threats in a standard way.
@eff Both companies control the client applications, the operating systems, and are required by multiple jurisdictions to run client side scanning.
Never be fooled by transport encryption, even if it is end-to-end.
@wdormann And a CVSS 7.8 won't standout when only 8.0+ typically get patched by OS. LPE are very underrated by CVSS.
