Supplementing CVEs with !CVEs

To my knowledge this is backwards, at least historically. The issue of finding out whether your version was vulnerable was already a solved issue: you just asked your vendor, which had their own bug tracker ID. People weren't really pulling in random versions of hundreds of dependencies to the degree they are now, this sort of scanning wasn't really that necessary.

So the primary purpose was really more to enable more cooperation for security bugs by having an independent central place that would host issue descriptions and give them a unique number. You can sort of see this from the process, I think: CVEs are assigned mostly by affected companies, they are not really given more than cursory verification and were originally just a straightforward republishing of the authors description, without any further classification by MITRE. Attaching meaning to those IDs was the job of other entities, like the affected companies and national CERTs. In this regard, CVEs still work as intended.

I think where this started going wrong was with the introduction of things like CVSS, which increased their duties from merely hosting a database of claims to interpreting those claims, a thing which they are really wholly unequiped for doing. There were plenty of other causes of course, but all of this moves the CVD from a role of merely neutrally numbering important claims to being a factual, accurate description of every vulnerability ever discovered, which the process is not remotely set up for.