Vulnerability disclosure: Which comes first, the security bug in PHP or the CVE?

The process of raising a potential vulnerability in an open-source project can be complex, involving multiple hurdles such as convincing project maintainers that there is an issue, distinguishing between a bug and a security vulnerability, and navigating the CVE (Common Vulnerabilities and Exposures) process. A recent example of this was the dompdf library incident, where a security researcher submitted a report in October 2021, which was initially met with no response, but eventually led to a fixed version being pushed out after public disclosure. The CVE process involves identifying a CVE partner organization, triaging the vulnerability, and then submitting a request for a CVE identifier, which can take several months to complete. Security researchers must be aware of the nuances of this process and the potential fuzziness between a bug and a security vulnerability in order to effectively raise and report vulnerabilities.