from a private thread: }The CVE Foundation has been formed to fund the CVE effort, due to }"longstanding concerns among members of the CVE Board about the }sustainability and neutrality of a globally relied-upon resource being tied }to a single government sponsor.": } } https://www.thecvefoundation.org/ I had previous opioned that it was time for EC/EU (maybe NATO) to take on funding this, and to move/replicate the effort outside of MITRE. That was before I knew of the foundation. I think that MITRE has done the best job possible ... for a beltway entity... but that it hasn't been very helpful. 3h webinar required to learn what a CVE is before you can get allocations. yes, useful to the unwashed C* masses... I'm of the opinion that RIPE can and ought to take on a role here as representatives of the ISP operator community. Both in a leadership role and as a source of funding. The FAQ says to contact info@thecvefoundation.org, and this email is BCC'ed to them. (Many open source projects get dozens to hundreds of "potential" CVEs from fuzzers who need a CVE number assigned in order to claim a bounty. There is now a cottage industry of fuzzers. It's a perverse result of the bounty programs... creating a huge amount of work to review potential issues, which often are impossible to actually exploit... and never come with fixes) -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide