Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.

In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.

Source: been working in security for 20+ years.

Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.

Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.

To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.