(CVE-2016-20011) No TLS certificate verification
Moving this from GNOME Bugzilla. libgrss does not appear to perform any TLS certificate verification because it uses the deprecated SoupSessionAsync, which requires manually enabling certificate verification, rather than a modern SoupSession that has good defaults. This seems to still be broken in 2021, so I'm going to request a CVE.
My Bugzilla report has been public since October 9, 2016, so this is already disclosed.