Agree. We need an authoritative source.
Thank you, Scott scott.law...@lp3.com 703-509-9330 For Cyber Emergencies email: cyberh...@lp3.com<mailto:cyberh...@lp3.com> From: Art Manion <aman...@cert.org> Date: Wednesday, August 18, 2021 at 4:07 PM To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> Subject: [EXTERNAL] public reference requirement Towards the end of the discussion today, this came up: Participants in these sorts of large/distributed systems (the CVE Program) *must* have some real responsibility, aka skin in the game. So, the requirement to me is that the entity requesting or assigning or populating the CVE entry *must also be willing to make the same claim themselves.* This can be a git commit, a vendor advisory, a researcher blog post. More than the content, the fact that the claim is published by the CVE requester/assigner matters. Otherwise the system allows participants to push responsibility on the program that the program doesn't own -- the program catalogs vulnerabilities, the program doesn't own (i.e., discover, create, fix) vulnerabilities. - Art