We are working to coordinate many stakeholders to bring this discussion forward. While the problems around the CVE may be handle by the newly formed CVE Foundation, it is far too early to tell and there are some politics going on, like the CVE trade mark being owned by MITRE. We should not act too quickly here, but be a bit careful (unlike ENISA).
Currently OpenSSF, Eclipse ORCWG, OWASP and a few more are trying to coordinate work. We’re lacking a lot of European participation.
I have an open meeting with ORCWG on Monday April 28 which you can find in the community calendar linked at https://orcwg.org/participate/
I would love for RIPE to be part of the work going forward. If you have any questions, please do not hesitate to contact me.
Best regards,
/Olle
On 22 Apr 2025, at 17:52, Patrik Fältström <paf@netnod.se> wrote:Hi,
In Sweden we have Olle Johansson (that some of you might know) that coordinate our effort(s) on trying to understand what's up. I don't know whether Olle is on this list, so I copy him here.
As Ondřej wrote, I do not think we should do anything in panic. We need something that fulfils our needs.
Patrik
On 21 Apr 2025, at 14:29, Ondřej Surý wrote:
Hi,I am not sure if anyone should support CVE Foundation yet. You don't buildtrust just by founding yet-another-foundation and put CVE into the name. Notto mention that swapping one US organization for a different US organizationmight not be a best choice as of now.I would recommend cautious approach and perhaps thinking about the wayforward.This blog post resonates with me a lot:Cheers,Ondrej--Ondřej Surý (He/Him)On Fri, Apr 18, 2025, at 19:09, Michael Richardson wrote:from a private thread:}The CVE Foundation has been formed to fund the CVE effort, due to}"longstanding concerns among members of the CVE Board about the}sustainability and neutrality of a globally relied-upon resource being tied}to a single government sponsor.":I had previous opioned that it was time for EC/EU (maybe NATO) to take onfunding this, and to move/replicate the effort outside of MITRE.That was before I knew of the foundation.I think that MITRE has done the best job possible ... for a beltwayentity... but that it hasn't been very helpful. 3h webinar required to learnwhat a CVE is before you can get allocations.yes, useful to the unwashed C* masses...I'm of the opinion that RIPE can and ought to take on a role here asrepresentatives of the ISP operator community. Both in a leadership role andas a source of funding. The FAQ says to contact info@thecvefoundation.org,and this email is BCC'ed to them.(Many open source projects get dozens to hundreds of "potential" CVEs fromfuzzers who need a CVE number assigned in order to claim a bounty. There isnow a cottage industry of fuzzers. It's a perverse result of the bountyprograms... creating a huge amount of work to review potential issues, whichoften are impossible to actually exploit... and never come with fixes)--Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )Sandelman Software Works Inc, Ottawa and Worldwide-----To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.More details at: https://www.ripe.net/membership/mail/mailman-3-migration/Attachments:
- signature.asc
--Ondřej Surý (He/Him)ondrej@sury.org-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/