A state sponsored team decides to creates hundreds of bogus CVEs that get through. People stop trusting CVEs and it becomes a dirty word. Legitimate CVEs now start getting ignored and there is no good mechanism to surface those properly to teams that need to know. People's systems are now more attacker friendly. Governments and corporations too.
Or, some private company steps in and says they'll take on the burden of sifting through the bogus. But they are not incentivized in the same way... and might only pick and choose what they work on, or not work on, or ignore their own CVEs.
Or, said state-sponsored team maneuvers itself to be that private company that offers to take on the burden! Even if it can't suppress a CVE entirely without tipping its hand, it could delay the announcement - thus giving its attack teams a heads-up on a security advisory!
Decentralized multi-party peer review might be one way around this - ensuring that no single entity can function as gatekeeper. It's a lot of overhead, though, and there's way more time sensitivity than there is with academic peer review processes. And who adjudicates who is an independent subject matter expert on Postgres?
It's a tough problem, made tougher by the fact that it's a "dark forest" environment where any potential advantage to any party will inevitably be leveraged.
A state sponsored team decides to creates hundreds of bogus CVEs that get through. People stop trusting CVEs and it becomes a dirty word. Legitimate CVEs now start getting ignored and there is no good mechanism to surface those properly to teams that need to know. People's systems are now more attacker friendly. Governments and corporations too.
Or, some private company steps in and says they'll take on the burden of sifting through the bogus. But they are not incentivized in the same way... and might only pick and choose what they work on, or not work on, or ignore their own CVEs.