Are security issues that don't have a CVE number tracked somewhere? Some issues may not have it by the time they're disclosed and I guess there are ones that for whatever reason don't have and aren't going to get one. If they're tracked in the usual audit/* files, what's the preferred format for them? By the way, if more help is needed, feel free to add me (scop) rights to commit to the fe[45] files.