Incentives for pre-release reporting

[Florian Weimer <fweimer () redhat com>]

My recollection (which could be wrong) suggests that vulnerabilities in
unreleased, not really shipping versions do not usually receive CVE IDs.

This has the problem that we cannot reward researchers with a CVE ID
assignment if they report issues in features under development.  If they
waited until after the release, they'd get one, so that is creating the
wrong incentive.

Am I wrong about the CVE program requirements here?  How do projects
handle this?

Thanks,
Florian