[$] The bogus CVE problem

The "Common Vulnerabilities andExposures" (CVE) system was launched late in the previous century (September1999) to track vulnerabilities insoftware. Over the years since, it has had a somewhat checkeredreputation, along with some some attempts toreplace it, but CVE numbers are still the only effective way to trackvulnerabilities. While that can certainly be useful, theCVE-assignment (and severity scoring) process is not without its problems.The prominence of CVE numbers, and the consequent increase in "reputation" for a reporter, have combined to create a system that canbe-and is-actively gamed. Meanwhile, the organizations that oversee thesystem are ultimately not doing a particularly stellar job.