Hi, I apologize if this is the wrong place for this email - it seemed to be the most suitable of the mailing lists. I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. For example, the statement might say "this high severity bug is expected to affect around 70% of cases?, or for CVE-2015-1788 it would presumably state ?around 1%? as it affects only client-side uses. This would help OpenSSL users gauge whether the upcoming vulnerability is ?heartbleed?-level, or less serious/widespread. Currently a wide variety of vulnerabilities are just indicated as ?high? severity, which could mean anything from a relatively minor DoS affecting 5 implementations to MITM affecting all servers/browsers. Thanks, James
