I think a good alternative is a CVE is assigned as somewhere between 1-3 unless proof of concept is able to be assigned, then and only then can the priority to increased to what it should be. these issue reports coming in as a 9 when you basically need to tell the program, “hey I’m being stupid just do it” in order for it to be vulnerable are only wasting developers time. I don’t believe these issues should be ignored however I do think they should be quite a bit lower priority if no concept is provided.
I think a good alternative is a CVE is assigned as somewhere between 1-3 unless proof of concept is able to be assigned, then and only then can the priority to increased to what it should be. these issue reports coming in as a 9 when you basically need to tell the program, “hey I’m being stupid just do it” in order for it to be vulnerable are only wasting developers time. I don’t believe these issues should be ignored however I do think they should be quite a bit lower priority if no concept is provided.