[$] Security policies for GNU toolchain projects

While the CVE process was created in response to real problems, it's https://lwn.net/Articles/944209/
 that CVE numbers are
creating problems of their own.  At the https://gcc.gnu.org/wiki/cauldron2023
,
Siddhesh Poyarekar expressed the frustration that toolchain developers have
felt as the result of arguing with security researchers about CVE-number
assignments.  In response, the GNU toolchain community is trying to better
characterize what is — and is not — considered to be a security-relevant
bug in its software.

https://lwn.net/Articles/945536/