Ondřej Surý <ondrej@dns.rocks> wrote: > I am not sure if anyone should support CVE Foundation yet. You don't build > trust just by founding yet-another-foundation and put CVE into the name. Not > to mention that swapping one US organization for a different US organization > might not be a best choice as of now. That's a good point. I'd like to see RIPE propose one of the board members for the CVE Foundation. That doesn't get EC (or NATO) off the hook of doing something non-USSA based. (EUVD is mentioned in the post) My understanding is the CVE Foundation ("the board") is still in the formative stage, and had not yet taken any kind of control over MITRE's work. > I would recommend cautious approach and perhaps thinking about the way > forward. > This blog post resonates with me a lot: > https://opensourcesecurity.io/2025/04-can-we-trust-cve/ That's an interesting read, and the other article about NVD is good too. https://anchore.com/blog/national-vulnerability-database-opaque-changes-and-... -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide