Towards the end of the discussion today, this came up: Participants in these
sorts of large/distributed systems (the CVE Program) *must* have some real
responsibility, aka skin in the game. So, the requirement to me is that the
entity requesting or assigning or populating the CVE entry *must also be
willing to make the same claim themselves.* This can be a git commit, a vendor
advisory, a researcher blog post. More than the content, the fact that the
claim is published by the CVE requester/assigner matters.
Otherwise the system allows participants to push responsibility on the program
that the program doesn't own -- the program catalogs vulnerabilities, the
program doesn't own (i.e., discover, create, fix) vulnerabilities.
- Art