[michaelt]

There's plenty of people in that position, but they're all working at huge corporations. Nobody ends up having to chase things like SOC2 and PCI-DSS without getting paid for it.

Why should unpaid volunteers working on the Linux kernel do compliance work for FAANG-sized companies without getting paid for it? If these companies want the reports carefully triaged, they can send some employees to carefully triage them.

[A1kmm]

And these standards do not say "patch every time there is a CVE, even if you are not vulnerable". For example PCI-DSS says "New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs)", it doesn't specifically even mention CVE.

A vulnerability / bug in an upstream component may or may not end up being a vulnerability in a complex system incorporating that component. A vulnerability in upstream functionality that is disabled (or not used, with no possible path through which an attacker could trigger the upstream vulnerability) in a particular system is not a vulnerability in that system. Standards like ISO27001, SOC2, and PCI-DSS generally ask teams to have processes to discover vulnerabilities, but not necessarily to patch things that are not vulnerabilities in practice.

[Retr0id]

Nobody (at least, not me) is calling for the Linux foundation to do additional work.

They've taken it upon themselves to assign a CVE to every bugfix, and it's being pointed out that that doesn't seem to be helping anyone.