Disputing a CVE is no straightforward task either, as a GitHub security team member explained. It requires a project maintainer to chase the CVE Numbering Authorities (CNA) that had originally issued the CVE.
CNAs have conventionally comprised NIST’s NVD and MITRE. Over the past few years, technology companies and security vendors joined the list and are also able to issue CVEs at will.
These seems like an issue worth addressing. If it’s too easy to report and too difficult to dispute, I could see the CVE ecosystem be weaponized and turned into a political tool.
Article: https://www.polygon.com/23688170/gary-bowser-hacker-nintendo-released-restitution
In this interview he claims he was simply paid to develop like a contractor and the people running the business still haven’t faced consequences: https://darknetdiaries.com/episode/136/