Replacing CVE

Assumed Audience: Programmers and others in the cybersecurity industry. Epistemic Status: Confident. tl;dr: The industry needs professional certifications and liabilities for not reporting vulnerabilities. Introduction I don’t know if you have seen the news, but MITRE’s government contract for CVE was about to expire today (until they got a reprieve). As techies are wont to do, and since the current administration is behated by most techies, they are up in arms about it. Let me say upfront: I won’t comment on the politics of this situation. Instead, might I suggest that we have an opportunity, even with the reprieve? The Problem The CVE system has been less good about securing our infrastructure than they have been about giving headaches to some of the most important projects. Curl gets bogus CVEs all the time and has to spend precious time dealing with them. Postgresql does too. The Linux kernel went a different route and just spams CVEs so that kernel CVEs essentially become ... Read full article.