[tptacek]

It is, but also worth keeping in mind that vulnerability triage is just an annoying, resource-intensive process. Putting aside the "named vulnerability" thing, the most common prompt for a triage process is "new vulnerability discovered in a dependency"; that will happen several times a week in most significant products. Almost all of those vulnerabilities are marginal, and even the ones that aren't are usually not exposed in a typical use of the dependency. It's just an annoying problem.

[akerl_]

No disagreement on it being a chore. The template doesn’t cut down on the actual work of triaging these, it just (hopefully, in a healthy org) helps avoid the “3 meetings per CVE with non-technical managers” part, which does seem avoidable.