[philipwhiuk]

> The problem is, from their viewpoint the security researcher is completely correct: a vulnerability is a vulnerability.

In the app using the library, not in the library.

[dogma1138]

Sure, but if you are using the library is there is no way to disclose vulnerabilities within libraries you have no idea if you need to implement mitigations or not.

There is no good solution here but not allowing CVEs to be assigned to libraries is by far the worst one.