Comment 21 for bug 909569

I'm tempted to say that if an issue warrants a CVE, we should just follow the full process. It's hard to define clear criteria for something that warrants a CVE but doesn't warrant the full responsible disclosure process. It would likely be controversial at times when some people don't agree on which bucket we put an issue in.

In this particular case, even though there's no known way to exploit it, I think the issue is still worth calling out. If someone using Swift was using a frozen version and only cherry picking specific patches called out as a security issue, I would want them to grab this one just in case it helps reduce the impact of some future vulnerability.