I tried to read this with an open mind, but I think the poster is talking about a lot of problems that are adjacent to CVE (coordinated vulnerability disclosure and vulnerability scoring, primarily) while missing the primary value that CVE provides (a consistent vocabulary to talk about vulnerabilities and a centralized clearing house for distributing vulnerability data) and as a result their proposed solution misses the mark.<p>The article quotes a lobsters post approvingly:<p><pre><code> 1. We end up with a system like CVE where submitters are in charge of what’s in the database other than egregious cases. This is what MITRE supported as the default unless someone became a CNA, something they’ve been handing out much more freely over the last few years to address public scrutiny.
2. We end up with a system not like CVE where vendors are in charge of what’s a vulnerability. This seems to be what Daniel and others want.
</code></pre>
I guess the first problem with this is that the CNA system very much puts vendors in de facto control of what goes in the database. But, this description of CVE-like systems is missing the forest for the trees, in that the alternative to CVE is not one of the two scenarios described, but the wild-west situation that existed before CVE, where vulnerability info came from CERT, from Bugtraq/Full Disclosure/etc., and from vendors, often using wildly different language to describe the same thing.<p>The whitepaper[0] that led to the CVE system described a pretty typical scenario:<p><pre><code> Consider the problem of naming vulnerabilities in a consistent fashion. For example, one
vulnerability discovered in 1991 allowed unauthorized access to NFS file systems via
guessable file handles. In the ISS X-Force Database, this vulnerability is labeled nfs-> guess
[8]; in CyberCop Scanner 2.4, it is called NFS file handle guessing check [10]; and the same
vulnerability is identified (along with other vulnerabilities) in CERT Advisory CA-91.21, which
is titled SunOS NFS Jumbo and fsirand Patches [3]. In order to ensure that the same
vulnerability is being referenced in each of these sources, we have to rely on our own
expertise and manually correlate them by reading descriptive text, which can be vague
and/or voluminous.
</code></pre>
That, and a central clearing house, are what is at stake if a system like CVE disappears, and I fail to see how any professional licensing scheme -- unless the licensing body replicated the CVE system or something like it -- would do anything to address that.<p>parliament32's comment in this thread perfectly addresses the issues with the articles treatment of CVSS, so I'll not rehash that here, other than to say that the actual score output of CVSS is bad and the people who designed it should feel bad.<p>0 - <a href="https://www.cve.org/Resources/General/Towards-a-Common-Enumeration-of-Vulnerabilities.pdf" rel="nofollow">https://www.cve.org/Resources/General/Towards-a-Common-Enume...</a>