You can file CVEs anonymously, but CNA don't have to assign a CVE number if they consider submission bogus. Depending on the CNA they may also verify the submission themselves or contact the vendor before assignment (usually vendor has to confirm the vulnerability before the publication, often CVE publication date is decided together with the vendor if the vulnerability is not already public).
Of course there are shitty CNAs that don't care. But honestly CVEs are a useful tool for communication, people (both security people and non-security people) should stop obsessing over them.
Of course there are shitty CNAs that don't care. But honestly CVEs are a useful tool for communication, people (both security people and non-security people) should stop obsessing over them.