Non-CVE vulnerabilities

Github is a CNA, so any project that uses their security advisories mechanism can press a button to ask Github to issue a CVE, which in my experience happens quickly. It has worked well for Flatpak vulnerabilities, anyway: we've generally asked Github for a CVE ID when we have a draft advisory, a good understanding of the problem, and a patch in progress under embargo, and by the time the patch is tested and ready they've already given us a CVE ID to --amend into it. Before we get the CVE ID we use the advisory's automatically-allocated GHSA ID to refer to it, and after getting a CVE it acts as another name for the GHSA ID which can be used interchangeably.

For vulnerabilities with no CVE ID, Debian's security tracker does have a concept of allocating temporary IDs like "TEMP-2025-012345" if necessary. For best results, upstreams should apply some sort of unique ID to vulnerabilities (an upstream bug-tracker number, or their own local IDs similar to Github GHSA) so that they can set the scope for what they consider to be in-scope for a particular vulnerability and what they consider to be a separate issue; if they do that, it's easy for Debian to say that TEMP-2025-012345 is just another name for fooproject/foo#123 or whatever.