Re: Distributed Weakness Filing, enough volunteer labour
So I (Kurt Seifried) have some experience with this, I've assigned almost 5,000 CVE's myself (4,760 as of October 18, 2015 when I last counted) and I've been involved with vulnerability management/analysis for almost 2 decades.
The problem is you, and I suspect Mitre are caught in the trap of thinking about this problem as a single issue when in fact (as Art Manion of CERT pointed out) it's actually two problems:
1. Assigning IDs
2. Analysis, deconfliction, write-up
https://cve.mitre.org/data/board/archives/2016-03/msg00004.html
DWF aims to address problem #1 by making it much simpler to get a DWF, and to push DWF assignment as close to the vulnerability as possible, e.g. by getting major researchers on board and assigning, and also getting vendors and vulnerability coordinating bodies on board. A perfect example of this is the first official DWF assigned, DWF-2016-89000:
https://bugzilla.redhat.com/show_bug.cgi?id=DWF-2016-89000
https://patrick.uiterwijk.org/DWF-2016-89000/
https://www.google.ca/search?q=DWF-2016-89000
The second problem is also largely already solved by the community, but there are no good feedback mechanisms with CVE (I should know, I've been reporting errors to them as I find them for over a decade), DWF solves this problem by being fully transparent and open and using the GitHUB platform to make feedback (in the form of pulls/issues) really easy, and more importantly to make correcting things easy (multiple DWF project people will have commit access). So if you do find an error or conflict you can easily report it, if you want to add information to an issue, you can also do so easily through the Artifact Database. As for write ups the community already does this, witness security researcher reports and advisories, or vendor advisories, there is no need to rewrite these things constantly.
So in conclusion: This is pretty much classic Cathedral vs. the Bazaar, the DWF Open Source model is a lot easier to participate in, and we've specifically picked a platform (GitHUB) that makes it trivial for people to interact with DWF and help the community help itself.
https://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar
Biting the hand that feeds IT
