What to do about CVE numbers

It's entirely rational for some kernel consumers to have a risk budget and to want to focus that risk budget on security bugs. Intentionally frustrating those consumers by refusing to identify bugs with known security implications is sheer bloodymindedness at this point. It contributes to backporting failures like the recent Android (not) zero-day: https://arstechnica.com/information-technology/2019/10/at...