While this feels like it’s perhaps bordering on somewhat silly nitpicking, the trend of conflating vulnerabilities with CVEs is probably at least mildly harmful. It’s probably good to at least try not to let people get away with this all the time.

The way many (perhaps most) people think of CVEs is badly broken. The CVE system is deeply unreliable, resulting in CVEs being issued for things that are neither bugs nor vulnerabilities while at the same time most things that probably should have CVEs assigned do not have them. Not to even mention the ridiculous mess that is CVSS.

I’m just ranting though. You know all this, almost certainly much better than me.