While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers are creating problems of their own. At the 2023 GNU Tools Cauldron, Siddhesh Poyarekar expressed the frustration that toolchain developers have felt as the result of arguing with security researchers about CVE-number assignments. In response, the GNU toolchain community is trying to better characterize what is — and is not — considered to be a security-relevant bug in its software.

Fuzzing the binutils utilities has, he began, become a popular exercise; it is an example of the "fuzzing epidemic" that is happening more widely. Fuzzing is good, he took pains to say, but what happens afterward is not. Researchers have started filing for CVE numbers, often for bugs which are not, in truth, security problems. The "infection" is spreading from binutils into the rest of the toolchain ecosystem. The whole CVE system, he said, is broken. People will report issues and get CVE numbers, but nobody involved has any real understanding of the context in which these bugs are found. As a result, a lot of engineering time goes into rebuilding packages, backporting fixes, and so on, all for problems that are not seen as valid security issues.

Poyarekar would like to create a better focus for security efforts and channel that work into a more helpful direction. Doing so requires creating a better understanding of what constitutes a security issue. In short, a security issue is a bug that allows a user to do something that they would otherwise be unable to do. Issues can be divided into a few subcategories; there are, for example, "direct vulnerabilities" that affect the integrity of the system as a whole. Other types include security features (such as hardening) that do not work as they should, or design flaws that make exploits easier. The first two types tend to get fixed, often after the assignment of a CVE number. Design flaws can get CVEs from zealous researchers as well, but tend to result in little more than "hand wringing".