[colinbartlett]

From the site: "CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security."

Serious question: How worried should I be that my defacto, go-to database of software vulnerabilities is paid for by the United States Government? How independently run is it? Need I fret that vulnerabilities won't be publicized if they benefit government agencies?

[tedunangst]

One of the more common (and more visible) ways CVEs are assigned is by asking for one on a public mailing list operated out of Russia.

[viraptor]

They're not the gatekeepers of anything. Even if they didn't accept something, you could still post to http://seclists.org/fulldisclosure and everyone who cares would know about it. So there's no reason for them to hide/refuse any entries.

[internet_arguer]

The culture of different government agencies varies widely. US-CERT is run by Carnegie Mellon University. US-CERT, incidentally is far older than the relatively new DHS. US-CERT, Mitre, and the rest are all about transparency and don't have motivation to hold onto really effective exploits.

However, if NSA discovers a ground-breaking exploit, and it's deemed low-risk to US systems, they'll probably keep it. But they certainly wouldn't disclose it to US-CERT or Mitre. Not to mention, since US-CERT and Mitre aren't in the intelligence community, they don't have a mechanism to keep information like that undisclosed.