[bkor]

If you go to https://cve.mitre.org/ it has a link "Request a CVE ID" which IMO explains that it is only for some products, not all. Alternatively there's also a weblink below it which want GPG key, etc. Alternatively you can email some mailing list, but I don't see where this is documented.

The complaint was that the CVE should've 1) been included in the commit 2) been made. IMO the entire thing is confusing.

Also like to repeat: it's super nice that things are reported and have a CVE. But that doesn't mean every security commit will be seen as related to security.

I'm pretty sure I've seen enough interesting commits in gdk-pixbuf: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=49dcd2d58...