Hi, In Sweden we have Olle Johansson (that some of you might know) that coordinate our effort(s) on trying to understand what's up. I don't know whether Olle is on this list, so I copy him here.
As Ondřej wrote, I do not think we should do anything in panic. We need something that fulfils our needs. Patrik On 21 Apr 2025, at 14:29, Ondřej Surý wrote: > Hi, > > I am not sure if anyone should support CVE Foundation yet. You don't build > trust just by founding yet-another-foundation and put CVE into the name. Not > to mention that swapping one US organization for a different US organization > might not be a best choice as of now. > > I would recommend cautious approach and perhaps thinking about the way > forward. > > This blog post resonates with me a lot: > https://opensourcesecurity.io/2025/04-can-we-trust-cve/ > > Cheers, > Ondrej > -- > Ondřej Surý (He/Him) > [email protected] > > On Fri, Apr 18, 2025, at 19:09, Michael Richardson wrote: >> >> from a private thread: >> >> }The CVE Foundation has been formed to fund the CVE effort, due to >> }"longstanding concerns among members of the CVE Board about the >> }sustainability and neutrality of a globally relied-upon resource being tied >> }to a single government sponsor.": >> } >> } https://www.thecvefoundation.org/ >> >> I had previous opioned that it was time for EC/EU (maybe NATO) to take on >> funding this, and to move/replicate the effort outside of MITRE. >> That was before I knew of the foundation. >> >> I think that MITRE has done the best job possible ... for a beltway >> entity... but that it hasn't been very helpful. 3h webinar required to learn >> what a CVE is before you can get allocations. >> yes, useful to the unwashed C* masses... >> >> I'm of the opinion that RIPE can and ought to take on a role here as >> representatives of the ISP operator community. Both in a leadership role and >> as a source of funding. The FAQ says to contact [email protected], >> and this email is BCC'ed to them. >> >> (Many open source projects get dozens to hundreds of "potential" CVEs from >> fuzzers who need a CVE number assigned in order to claim a bounty. There is >> now a cottage industry of fuzzers. It's a perverse result of the bounty >> programs... creating a huge amount of work to review potential issues, which >> often are impossible to actually exploit... and never come with fixes) >> >> -- >> Michael Richardson <[email protected] <mailto:mcr%[email protected]>> >> . o O ( IPv6 IøT consulting ) >> Sandelman Software Works Inc, Ottawa and Worldwide >> >> >> >> >> >> ----- >> To unsubscribe from this mailing list or change your subscription options, >> please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/ >> As we have migrated to Mailman 3, you will need to create an account with >> the email matching your subscription before you can change your settings. >> More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ >> >> *Attachments:* >> • signature.asc > > -- > Ondřej Surý (He/Him) > [email protected] > ----- > To unsubscribe from this mailing list or change your subscription options, > please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/ > As we have migrated to Mailman 3, you will need to create an account with the > email matching your subscription before you can change your settings. > More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
signature.asc
Description: OpenPGP digital signature
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
