
Distributed Weakness Filing – CVEs for OSS Shuts Down - philips
http://cve.mitre.org/news/archives/2019/news.html#March072019_CVE_Program_Root_CNA_to_Assume_DWFs_Open_Source_Product_Coverage_Responsibilities_Beginning_March_7
======
philips
Thread for the person leading the project:
[https://twitter.com/kurtseifried/status/1103858442479910913](https://twitter.com/kurtseifried/status/1103858442479910913)

I couldn't even get most people to submit well formed CVE requests, let alone
correct the badly formed ones, let alone actually help with CVE assignments.
The market has spoken, nobody really cares about ensuring Open Source is
broadly covered by CVE. 1/2

A few projects and vendors care about making sure what they ship or
specifically research is covered (e.g.
[https://cve.mitre.org/cve/request_id.html#cna_participants](https://cve.mitre.org/cve/request_id.html#cna_participants)
…) but nobody cares about Open Source in general, e.g. npm? 11 million
developers. 73 CVEs...

