Service-level contracts and governmental requirements mean that a critical CVE needs to be addressed in short order, so non-critical bugs that get marked that way can cause real problems.
Bureaucracy destroys common sense once again.
If every developer opposes doing anything with bogus CVEs and calling them out for the BS they are, with a detailed explanation of why, then we might get some changes, but unfortunately just mentioning anything "security" has gotten such a paranoic response from most of the population that it's a difficult battle.
Bureaucracy destroys common sense once again.
If every developer opposes doing anything with bogus CVEs and calling them out for the BS they are, with a detailed explanation of why, then we might get some changes, but unfortunately just mentioning anything "security" has gotten such a paranoic response from most of the population that it's a difficult battle.