On Sun, Oct 05, 2025 at 08:23:21AM +0200, Greg KH wrote: > That is the work we do to "triage" on a weekly basis.
> Again, not all bugfixes that go into the Linux kernel meet the > cve.org definition of "vulnerability", and so, we do not mark all > Linux bugfixes with a CVE. If we were to do that, the rate of CVEs > would be much higher than the current average of 13 per day (which > if you look at applicability of those CVEs to your system, is on > average, or a bit below, the other two major operating systems out > there, so Linux is not an outlier at all.) > Hope this helps explain things a bit better. I think this means I > need to write up even more documentation as to exactly how we do all > of this work as this information isn't more widely known. Yes, thank you. This in fact improved my understanding of the situation a lot. I hope it also did so for others. -- Ian
