[gnfargbl]

This kind of a consortium needs to explicitly avoid being captured by both the product vendors (who could be incentivised to manipulate the CVE issuance process to support their own remediation timescales), and by security companies (who could be incentivised to obtain a competitive advantage via preferential access to the CVE database).

It isn't impossible for a commercially-funded organisation to avoid this kind of capture, but it isn't easy either. My mind immediately jumps to the relationship between the Mozilla Foundation and Google.

[transpute]

Then there were two: https://gcve.eu

Plus the proposed "Foundation for Standards and Metrology (FSM)" to build on NIST, https://democrats-science.house.gov/bills/the-expanding-part...

[tbrownaw]

Don't some projects already issue their own CVEs?

[gnfargbl]

CNAs [1] are assigned blocks of CVEs and then assign from within that block, but the system only works if there is overall administration of the CVE Program [2].

My concern is that a capture of the administration would become a capture of the entire programme. Looking at the structure, it seems possible that CISA are in a position to prevent any such capture but, given some of the recent positions taken by the US government, we'll need to wait and see how that plays out.

[1] https://www.cve.org/ProgramOrganization/CNAs

[2] https://www.cve.org/ProgramOrganization/Structure

[detaro]

yes, but it's a hierarchy. If you disagreed with their judgement you could always go up the chain, and MITRE can take the privilege away again if they think a vendor is misusing it.