Mitre is a us gov supported team, and previously they could not scale to the need of their efforts. They did the best they could, but they still had a lot of angry people out there. The whole world uses CVEs but it is US funded by the way.
In come new CNAs, scale the efforts through trusted teams, which makes sense. The mitre team can only do so much on their own.
Unfortunately I don’t think anyone will be as strict and passionate about getting CVEs done right, like the original mitre team has.
Here is to hoping they can revoke cna status from teams who consistently do not meet a quality bar.
The problem though is that issues with CVEs are not caused only by bad CNAs. MITRE (understandably) doesn't have the resources to verify every CVE request it receives, which have resulted in bad CVE details being filed on multiple occasions.
I wonder if maybe, instead of trying to fix CVEs, we could try to think about creating alternatives? I know some companies already use their own identifiers (e.g. Samsung with SVE), so perhaps a big group of respected companies can come together to create a new unified identifier? Just an idea though.
Getting everyone onboard would be tough, some have tried and failed like osvdb. It requires funding and passionate folks to run it. I think what we could do is spin the cve arm of mitre off into a non profit, and asked all major companies who want to be on the board to chip in and support it. This could have challenges too that would need to be addressed.
In come new CNAs, scale the efforts through trusted teams, which makes sense. The mitre team can only do so much on their own.
Unfortunately I don’t think anyone will be as strict and passionate about getting CVEs done right, like the original mitre team has.
Here is to hoping they can revoke cna status from teams who consistently do not meet a quality bar.