Wrt https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html The internal IDs from the tracker _not_ meant for external publication, this will only lead to stupid chain reactions where external parties pick them up and then they perpetuate. Either simply write "no CVE allocated" or rather do the right thing and request an ID via https://cveform.mitre.org Cheers, Moritz