Solving the CVE Crisis: Professional Certification and Mandatory Vulnerability Reporting
2025-04-16
The impending expiration of MITRE's CVE contract sparked controversy, prompting a proposal for software security improvement. The current CVE system is plagued by inaccurate reports, diminishing its value. The author suggests a system based on vulnerability attributes instead of scores, along with professional Software Engineer (PSWE) certification. Failure to accurately report vulnerabilities within a timeframe would result in license revocation, incentivizing reporting. The proposal includes funding and training for future PSWEs, addressing accessibility concerns, ultimately creating a win-win scenario for software security and FOSS project sustainability.