I think it's time the biggest players in the software industry step up, maybe through a formal consortium. This model would make sense because they benefit the most. Big tech companies rely on CVEs to secure their own products;
They have the means. With their massive revenue and dedicated security teams, these companies could easily fund CVE operations. A consortium approach spreads responsibility fairly;
Shared responsibility, shared benefits. Security is everyone's problem.
Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.
In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.
Source: been working in security for 20+ years.
Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.
Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.
To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.
> biggest players in the software industry step up
While they are at it maybe chuck $5 to the dev maintaining the open source package that your trillion dollar corporation relies on, that your 50,000 leetcoders can't figure out how to write or live without.
The last people I am ever going to trust about matters of security is US BigTech. Consortium or not. This idea has no legs. We absolutely need an international cyber threat intelligence network, with many checks, balances and oversights. If we're going to ask "who funds it?" then we need to ask "who really benefits from a technology industry?"