Please consider using CVE identifies for security issues

Instead of vendor identifiers (e.g. CIVI-SA-2019-24) please consider using standard CVE identifies for security issues.

Here is some reasoning from the Debian Security Team:

The good thing on having a CVE id for the vulnerabilities is helping other vendors to track the issues properly 'cross-vendor' in an unique way. If every upstream would use individual identifiers to track their vulnerabilities, this makes the work of downsteams security teams much harder. Nowdays MITRE has improved a lot on their processes on assigning CVEs, and good filled reports at https://cveform.mitre.org/ get fastly assigned a CVE respectively (this somehow depends though on how good the report is done). I know some upstreams did in past make frustrating experiations, and do not want to try that out again.