In fact, Arkin credited the Chrome team's different approach to CVE assignments for last week's squabble. "We didn't allocate any CVEs because we viewed this testing as part of the [Secure Product Lifecycle] that spans the joint engineering efforts with the Google Chrome team," Arkin said in the blog. "This led to some confusion since the Google security team has a different approach to CVE allocation."
Another reason why Adobe didn't list each bug -- or more specifically each code change that resulted from its analysis of Google's fuzzing work -- is that it simply didn't have the time or resources.
"It's incredibly expensive to do that," said Arkin. "We'd rather drive those resources into making [Flash Player] better."
Storms understood Adobe's reluctance to list scores of CVEs.
"There's little value for them to do that because of the negative connotation around a high CVE count," said Storms.