HI all, We are researchers looking at Linux kernel patches, we noticed that there are few patches which fix a potential security issue but do not have a CVE (https://cve.mitre.org/) number associated with it. Recent Example: https://github.com/torvalds/linux/commit/482137bf2aecd887ebfa8756456764a2f6a0e545#diff-37ac0f0eaad3a953bb2d050a9506b784 Few questions: It is commonly understood in academia that security patches have associated CVE numbers, but is it surprising to see that there are potential security patches missing CVE numbers, Why is this so? What is the policy of assigning CVEs? Is it the responsibility of the person submitting the patch to request a CVE number? -Best, Aravind -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
