I still have not seen a good reason why we need to strike out on our own. I would rather leverage the work of the NVD and MITRE so people can reuse existing tooling, process and procedures.
I would say the NVD is lacking in robotics specific CVEs because people have not submitted issues. We have opened 3 CVEs with MITRE this year for ROS packages:
- CVE-2019-13445 - potential integer overflow
- CVE-2019-13566 - potential string overflow
- CVE-2019-13465 - potential iterator cause buffer overflow
ROS is just packages on top of an operating system, it would be like Apache standing up a new vuln database just for Apache projects instead of using MITRE.
Cheers,
-Joe