the thing i like about a more structured cve process is it forces a paper trail, but the failure mode is turning it into a throughput bottleneck.
imo the pragmatic approach is: let maintainers publish advisory + fix quickly, then let cve ids catch up asynchronously. the priority should be fixing and communicating impact, not the id itself. otherwise you incentivize people to sit on fixes while paperwork happens.
umairnadeem123•1h ago
imo the pragmatic approach is: let maintainers publish advisory + fix quickly, then let cve ids catch up asynchronously. the priority should be fixing and communicating impact, not the id itself. otherwise you incentivize people to sit on fixes while paperwork happens.