Re: Bug reporting programs
Affected versions are part of the information in the CVE submission. I don't know under whose authority it could be "required" to be correct, or who would enforce that, or what would happen in cases where that couldn't be determined.
The CVE program is voluntary. Historically, it has worked (to the extent that it has worked), in no small part because it is voluntary. In many organizations, even relatively large ones, CNAs handle CVE submissions in addition to full-time responsibilities elsewhere. While I am often in favor of using regulation to convert externalities into direct costs for offenders, regulating the CVE process seems likely to have severe revenge effects. It would have to be brought under legal compliance structures in any organization large enough to perceive it as a liability. Fewer issues would be reported, they'd go longer before being reported, there would be less information in the reports, and gaming CVEs (as in the examples in this article) would likely become more prevalent, not less.
Some CNAs have always been better than others. There are rogue CNAs who create bogus CVEs for packages not under their control, such as the infamous CVE-2020-19909. Some CNAs are pressured by corporate management or legal counsel to do a poor job of creating CVE submissions. Opinions differ among reasonable area experts on how much information should be included in a CVE. It's a complex area.