Filing a CVE used to be a dialog between the researcher, developers, and third-party domain experts. Accepting every random LLM-generated report and granting it a 9.8 score is not useful in any way.
I have to patch hundreds of CVEs in a month, and only a handful are actually valid. The vast majority is "CVSS 9.8: regex complexity explosion in $library" which my project only uses during build. But I've got to patch it, because it's definitely absolutely critical.
While the standard library bug that causes SSL connections to fall back to TLS1.1 instead of TLS1.3 by default is considered WONTFIX and gets REJECTED for a CVE.