Anyone who works in the software industry knows that stigma can be attached to CVEs, or “common vulnerabilities and exposures” assignments. This is driven by misconceptions that can make vendors and open source maintainers reluctant to request a CVE, which reduces transparency and ultimately puts software security at risk.
Is the issue bad enough to justify the effort of getting an assignment?
So why are vendors and open source maintainers hesitant to request CVEs, even if the vulnerability is minor?
Responsible vendors and maintainers, as a matter of practice, request CVEs and publish advisories, even for minor vulnerabilities.