> I'm technically aware, but do I really have the expertise and bandwidth to tell the difference between an actual CVE and one that isn't, for the whole database?
I sure don’t. But who does? Who gets paid by whom to make this all work? Apparently whatever is happening now ain’t it.
On the one hand it seems like, if you are reporting a security issue, you should presumably have some kind of PoC. On the other hand we’ve seen plenty of exploits that required chaining a half dozen not-obviously-exploitable issues to achieve a successful exploit. If someone at MITRE has to adjudicate these issues for every CVE in all possible programming languages for all possible exploits for all possible software… well that seems like a tough job anyway.
I think the people using the CVE database as some kind of official source of actual security issues, as opposed to reported potential issues, is the problem.