Bonjour,
There are CVE’s for Nextcloud but none for SecureDrop. From what a friend explained yesterday, I understood (possibly incorrectly because I already had beer in me 
) that any Free Software project can request a CVE id via the Distributed Weakness Filing (DWF) CVE Request form for PUBLIC issues in OpenSource software.
Is it something unnecessary for SecureDrop in general? Or maybe something we did not need just yet? Or …
Cheers