@Mark Takata (Adobe) @Vikram Kumar It appears to submit and gives me an issue number, but the report does not appear publicly. Is this on purpose?: https://tracker.adobe.com/#/view/CF-4216105 ( the 2021 report )

Tracker has been very, very squirrely recently. Going to escalate this.

Thank you sir!

I can confirm this issue made it into our JIRA. It does have the component set to "security" so it is possible this is preventing it from being publicly visible, but I need to confirm this. But we DO have it, and thank you for reporting it!

Thanks Mark. I’m in the process of writing justifications for both engines right now, so if there a publicly available link I could add to those, to demonstrate that the issues have been reported, it would help greatly in obtaining provisional approval.

Roger that, understood. @sandip_halder @Vikram Kumar is there any method by which we could provide @jclausen with some form of justification link or other material which he could leverage internally for his reports?

I can understand that. Of note, in the current system I am writing these justifications for, the ones marked as “Critical” are expected to be resolved within 15 days, or it is, potentially, grounds for rejection. One’s marked as “High” have 35 days. If there’s any chance of getting a hotfix, it would be much appreciated. Most of the reported vulnerabilities can be resolved by just swapping out the JAR with the latest patched version - and there are a lot of duplicates in the list.

I've seen this happen with the recent versions of CF that were released. If I searched by the listed issue # (or entered the URL), it wouldn't work. It's impossible to verify if bugs are fixed if the information regarding the issues is suppressed.