Re-imagine CVE and stabilize the system with global participation and federation. Meet up & join the effort in the OWASP Member Lounge
Not having CVE IDs for newly discovered vulnerabilities would create a cascading effect from the source code down through enterprise operations. Tools that are the foundation of vulnerability management programs inside of organizations would fail to recognize when software was vulnerable to new attacks. Coordination between developers and researchers and downstream providers would be complicated without having that shared understanding of what the issue really even was. Having an identifier program that may or may not exist within the next 11 months is equally problematic to developers and downstream consumers. Having a reliable source of truth matters when it comes to finding, fixing, and disclosing vulnerabilities.
