Google Cloud has deepened its commitment to security and transparency by expanding its CVE program. Google Cloud will now issue CVEs for critical vulnerabilities, even when no customer action or patching is required. The CVE record will be annotated with the “exclusively-hosted-service” tag to indicate that the vulnerability requires no customer action. This measure aims to increase transparency and foster trust within the IT ecosystem. Issuing CVEs helps users track publicly known vulnerabilities, improving their understanding of their security posture. As noted in their Secure By Design paper, Google has a 20-year history of collaborating with external security researchers, whose independent work discovering vulnerabilities has been helpful to Google. Their vulnerability reporting process encourages direct engagement as part of their community-based approach to addressing security concerns. This announcement marks an important step Google Cloud is taking to normalize a culture of transparency around security vulnerabilities, and aligns with their shared fate model, in which they work with customers to continuously improve security.