Comment 19 for bug 1811098

A CVE can be requested by anyone for any defect. The OpenStack VMT doesn't generally request CVEs for projects it doesn't oversee, but we have a brief overview of what we'd generally recommend putting in MITRE's CVE Request form documented at https://security.openstack.org/vmt-process.html#send-cve-request if you're interested in following a similar process. Note that for an already-public report like this one, there are fewer bits to worry about (the process documentation attempts to call out the difference between what you'd do for still private embargoed reports vs already public reports).