Completely agree that the participants must own what they contribute to the CVE list. That ownership/attribution should be clearly visible on the (new) CVE.org site. Consumers of a poorly written (vague, unactionable) CVE entry should talk to the CNA and not blame the CVE Program or MITRE.
This is no different than how Twitter users are seen as being responsible for their tweets and not Twitter Inc., While a hyperlink in a tweet may increase a tweet's credibility, why would lack of one make a tweet not authoritative? IMHO the reason services like Twitter have a lot of participation is because they do not require everyone to set up their own websites to be able to publish opinions (which was the case in the 1990s :-)) Thank you, Chandan On Wed, Aug 18, 2021 at 1:07 PM Art Manion <aman...@cert.org> wrote: > > Towards the end of the discussion today, this came up: Participants in > these sorts of large/distributed systems (the CVE Program) *must* have some > real responsibility, aka skin in the game. So, the requirement to me is > that the entity requesting or assigning or populating the CVE entry *must > also be willing to make the same claim themselves.* This can be a git > commit, a vendor advisory, a researcher blog post. More than the content, > the fact that the claim is published by the CVE requester/assigner matters. > > Otherwise the system allows participants to push responsibility on the > program that the program doesn't own -- the program catalogs > vulnerabilities, the program doesn't own (i.e., discover, create, fix) > vulnerabilities. > > - Art > -- Sr Director, Product Security Assurance, Vulnerability Remediation, and PSIRT Palo Alto Networks https://security.paloaltonetworks.com/
