Comment by kstrauser
2 months ago
> It includes a request for Wellnhofer to provide a CVE number for the vulnerability and provide information about an expected patch date.
“Three.”
“Like, the number 3? As in, 1, 2, …?”
“Yes. If you’re expecting me to pick, this will be CVE-3.”
The project doesn't have to provide one though. The person reporting it can handle it if they care. It's ok to say "I'm not interested in those".
I think he should just reject reports of vulnerabilities if they aren't accompanied by a patch.