Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

[te3d4q@sigaint.org]

> No, the NVD ratings are entirely meaningless to us. In addition to
> security
> issues fixed in DSAs, there are also minor security fixes provided via
> the jessie point updates.
>
> Cheers,
>         Moritz

1. If NVD ratings are meaningless to Debian's security team, how does the
security team prioritize which vulnerability should be fixed first before
others?

2. According to https://www.debian.org/security/, it states:

"Debian also participates in security standardization efforts: the Debian
Security Advisories are CVE-Compatible (review the cross references) and
Debian is represented in the Board of the Open Vulnerability Assessment
Language project."

If Debian Security Advisories are CVE-compatible, it means that the former
accept the NVD ratings included in CVEs, yes?