CVE risk, threats and safety net

[oej]

During the working group meeting today, there was a concern on readiness for handling a situation where the CVE program runs out of funding. We currently do not know what's going on and what the risks are, but as a community we may want to discuss putting together some sort of plan to make sure that if the current funding, which is planned to be in place until march 2026, is not extended.

[gregkh]

CVE says they have funding for a year, so what specifically are people worried about with regards to this?

Worst case, all CNA's just pre-allocate a bunch of ids (like Linux did), and they pull from them until things get back up and running elsewhere or with whatever emerges from the ashes?

[oej]

During our meeting, there was a lot of worry about the funding of the program and what would happen if funding runs out. There are multiple opinions about solutions and we need to find out if OpenSSF has a role here in any way - can we work with the CNAs that pre-allocate IDs and aggregate the feed so that vulnerability management systems still works as expected?

[oej]

WG decision in meeting today:
@SecurityCRob will reach out and try to set up a regular meeting.
CRob to reach out to Tanya, the CVE Board, and the CVE Foundation to explore their interest in a public forum for dialogue , despite potential legal constraints to govt employees. The goal is to organize a neutral space for periodic updates and a Q&A session with community members.

[oej]

While #164 is an interesting idea that we need to explore further, this only covers the Open Source side. This is a good step forward, but we need to discuss the world outside of Open Source too.