Thank you for your reply.
Your current security policy is certainly impressive in a lot of ways. However, I still think there are benefits to having your security vulnerabilities reported to NVD that your current policy does not provide.
Now, if I understand correctly, you announce security fixes by having “SECURITY:” in the commit message of the fix.
This is not the same thing as disclosing the vulnerability, which may affect multiple prior versions of the software before the fix.
The way NVD works is that each vulnerability gets assigned a unique identifier, and it tracks which versions of each product are affected by the vulnerability.
So, for example, the Heartbleed bug has an official, standards-compliant identifier, CVE-2014-0160, and a record describing its severity along several dimensions. Other important projects, ranging from Android to MediaWiki to Ruby on Rails, all report their vulnerabilities in this way.
I am not sure about hackerone’s relationship with NVD. Some quick searching implies that they do not work them directly; Intel’s hackerone page requires bug bounty hunters to come up with CVSS vector string for indicating severity using one of the calculators. (CVSS one of the other interrelated NIST standards for vulnerability reporting).
While increasing overhead for bug bounty hunters doesn’t seem ideal, I could see how hackerone would want to give its customer the option of opting out of NVD disclosure. I agree that it makes sense for them to support integration, but I believe that currently they don’t and it’s the responsibility of vendors.