Replacing CVE

Summary

tl;dr: The industry needs professional certifications and liabilities for not reporting vulnerabilities.IntroductionI don’t know if you have seen the news, but MITRE’s government contract for CVE was about to expire today (until they got a reprieve).As techies are wont to do, and since the current administration is behated by most techies, they are up in arms about it.Let me say upfront: I won’t comment on the politics of this situation.Instead, might I suggest that we have an opportunity, even with the reprieve?The ProblemThe CVE system has been less good about securing our infrastructure than they have been about giving headaches to some of the most important projects. Curl gets bogus CVEs all the time and has to spend precious time dealing with them. Postgresql does too. The Linux kernel went a different route and just spams CVEs so that kernel CVEs essentially become worthless.Worthless? Does that mean that CVEs were actually worth something to people?Yes, absolutely. Script-kiddies that consider themselves “security researchers” try to find bugs in big projects and then get them labeled as CVEs so they can add those CVEs to their résumés. As one user on Hacker News said, “Unfortunately, the CVE database(s) are too noisy to be useful.”In fact, it got so bad that Curl decided to do extra work to become a CNA, just so they can reject spurious reports and avoid the NVD from giving excessively high vulnerability scores.Because Daniel Stenberg, the Curl lead, has been so prolific in blogging, people know Curl’s situation well. The first comment on the lobste.rs story said:Finally a breather for Daniel Stenberg (original author and maintainer of curl– BenjaminRiThe SolutionIn reply, a lobste.rs user called insanitybit said this:One of two things is going to happen.We end up with a system like CVE where submitters are in charge of what’s in the database other than egregious cases. This is what MITRE supported as the default unless someone became a CNA, something they’v...