While writing Security Policy Amendment to analyze vulnerabilities in dependencies I realized that it could actually be useful to be able to provide an analysis of a vulnerability without considering it as ignored.
For example: a new vulnerability is found on an extension wildly used and we’re starting to get lots of requests about it but there’s no easy upgrade possible right away, and the impact is low. In such case, we shouldn’t ignore the vulnerability, but we should provide information that maybe a workaround is possible while waiting for the upgrade because it will take weeks to get it.
1 Like