On 22 Apr 2025, at 17:52, Patrik Fältström <paf@netnod.se> wrote:

Hi,

In Sweden we have Olle Johansson (that some of you might know) that coordinate our effort(s) on trying to understand what's up. I don't know whether Olle is on this list, so I copy him here.

As Ondřej wrote, I do not think we should do anything in panic. We need something that fulfils our needs.

Patrik

On 21 Apr 2025, at 14:29, Ondřej Surý wrote:

Hi,

I am not sure if anyone should support CVE Foundation yet. You don't build

trust just by founding yet-another-foundation and put CVE into the name. Not

to mention that swapping one US organization for a different US organization

might not be a best choice as of now.

I would recommend cautious approach and perhaps thinking about the way

forward.

This blog post resonates with me a lot:

https://opensourcesecurity.io/2025/04-can-we-trust-cve/

Cheers,

Ondrej

--

Ondřej Surý (He/Him)

ondrej@sury.org

On Fri, Apr 18, 2025, at 19:09, Michael Richardson wrote:

from a private thread:

}The CVE Foundation has been formed to fund the CVE effort, due to

}"longstanding concerns among members of the CVE Board about the

}sustainability and neutrality of a globally relied-upon resource being tied

}to a single government sponsor.":

}                                                                                                   }     https://www.thecvefoundation.org/

I had previous opioned that it was time for EC/EU (maybe NATO) to take on

funding this, and to move/replicate the effort outside of MITRE.

That was before I knew of the foundation.

I think that MITRE has done the best job possible ... for a beltway

entity... but that it hasn't been very helpful.  3h webinar required to learn

what a CVE is before you can get allocations.

yes, useful to the unwashed C* masses...

I'm of the opinion that RIPE can and ought to take on a role here as

representatives of the ISP operator community.  Both in a leadership role and

as a source of funding.  The FAQ says to contact info@thecvefoundation.org,

and this email is BCC'ed to them.

(Many open source projects get dozens to hundreds of "potential" CVEs from

fuzzers who need a CVE number assigned in order to claim a bounty.  There is

now a cottage industry of fuzzers.  It's a perverse result of the bounty

programs... creating a huge amount of work to review potential issues, which

often are impossible to actually exploit... and never come with fixes)

--

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )

           Sandelman Software Works Inc, Ottawa and Worldwide

-----

To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/

As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. 

More details at: https://www.ripe.net/membership/mail/mailman-3-migration/

Attachments:

• signature.asc

--

Ondřej Surý (He/Him)

ondrej@sury.org

-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/