The poll has ended. With six votes across Twitter and Mastodon the results are hardly representative. But it seems that a #CVE identifier for everything is a rare approach (1 vote). Most respondents create one only for important findings (3 votes) or never (2 votes).
There is also a comment on Mastodon explaining the logic behind this: if it’s a vulnerability that companies should patch ASAP, assigning a #CVE identifier improves the chances considerably.
@WPalant @c0debabe CVEs are tool enablers. If there's a CVE, then it massively increases the ability of organizations to use tools to identify instances of the vulnerability and track progress towards mitigation and repair. If it's serious enough that you want organizations to actively find and patch it, it's absolutely worth the effort to create the CVE record.
In orgs who patch CVEs in days, non-CVE patches get applied in months or years because execs go "no CVE, it can't be that bad"
A Mastodon instance for info/cyber security-minded people.