[VIM] Question regarding ZDI-12-017's CVE

[security curmudgeon]

: I have sent an additional request to Oracle as I note we have 9 
: published advisories without CVE#s from them. I hope they will respond 
: in a timely manner and I will forward on the CVEs as soon as I receive 
: them

Excellent!

Given how many advisories you guys release, may be worth your time to 
inquire with CVE about becoming a CNA. If you could assign a CVE at the 
time of research and include it when contacting the vendor, it would be 
very helpful for all parties. I mention this because I ran into a big 
group of advisories (~ Feb, 2011) that did not have them. The common theme 
was that each issue was being published after 180 days of no patch, as per 
your policy.