> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.
Following your comment's reference leads to a claim of NVD needing 300 to 550 million (?!) per year, but only receiving 4 million in funding. If anyone has pre-2024 data on NVD or MITRE CVE funding, that would be helpful, https://news.ycombinator.com/item?id=43701532
The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.
Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!