Re: CVE Funding
There's a difference between getting money now and then and the US Gov owning it
Yes, but it's not the difference that you think it is, and it doesn't apply to MITRE and the CVE system. You clearly have no idea what you're talking about. MITRE has always been a Federal contractor, and CVE funding has always come from the Feds. The only change here is making that "hard" money (a budget line item) rather than "soft" (taken from fixed-term grants and contracts).
In any case, MITRE's role as CVE coordinator is relatively small. They provide a central clearinghouse for the CNA (CVE numbering) function - but it's the actual CNAs who assign the numbers, and they don't work for MITRE. MITRE determines the format of CVEs, but CVEs don't contain much information anyway; all the meat is in the linked document, which the CVE publisher controls, and if MITRE tampered with the link the publisher would take note and announce that through other channels. There's no usable vulnerability there. And MITRE provide the CVE submission and publication mechanism, but it's open-source and could be duplicated in a matter of minutes.
There are multiple, independent repositories of published CVEs and related information. The CVSS scoring isn't done by MITRE; it's done by NIST, as part of the NVD process, and is duplicated by other organizations such as Red Hat (who often publish scores before NIST anyway).
There are a lot of eyes on MITRE's CVE coordination role - not because anyone (who knows what they're talking about) is suspicious that the government has coopted it, but because so many people use it. And the possibilities for attack are extremely limited.