[ThinkBeat]

I am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.

[derektank]

This contract is funded by CISA, which is an agency within the Department of Homeland Security, not DoD. As far as I'm aware, there are no components of DHS with Title 10 or Title 50 authorities to conduct cyber operations, unless you count the Coast Guard but they normally operate under Title 14. So there really should be no conflicts of interest as no one in the DHS is authorized to exploit vulnerabilities as part of cyber operations.

[ygjb]

This illustrates a misunderstanding of how CVE functions. It's a repository of data about disclosed vulnerabilities (even if some disclosures are embargoed and not yet published - if anyone but the bughunter and dev team that owns the fix knows about it, it's disclosed :P). The actual vulnerability discovery process is external and done by individual researchers, teams and businesses who report vulnerabilities to the appropriate groups called CVE numbering authorities (CNA) who manage the assignment and publication of CVE data through their scopes. There is not much technical advantage in terms of advance disclosure since the CNA controls what data goes to CVE.

As an example, a CNA like Mozilla, Apple, or Microsoft is unlikely to disclose vulnerability data via CVE until they have remediated the issue or have public guidance, and their embargo processes are likely separate from CVE publication.

[j16sdiz]

CVE Numbering Authorities (CNA) have lots of control over those.