> No, the NVD ratings are entirely meaningless to us. In addition to > security > issues fixed in DSAs, there are also minor security fixes provided via > the jessie point updates. > > Cheers, > Moritz
1. If NVD ratings are meaningless to Debian's security team, how does the security team prioritize which vulnerability should be fixed first before others? 2. According to https://www.debian.org/security/, it states: "Debian also participates in security standardization efforts: the Debian Security Advisories are CVE-Compatible (review the cross references) and Debian is represented in the Board of the Open Vulnerability Assessment Language project." If Debian Security Advisories are CVE-compatible, it means that the former accept the NVD ratings included in CVEs, yes?
