Add an optional CVE field that can be defined on security issues. How should it work, though? Sometimes, the same CVE has multiple IDs. Sometimes, a library is affected by multiple CVEs. Sometimes CVEs are false positives or require extra commentary.

Also, at which point of the process do we assign CVEs to issues? Who is responsible for this, who are the fallbacks?