CVE, CVSS, CPE, CWE: Sharing the love of vulnerability handling

[oej]

There is a lot of focus now on "Dependency chain security" - using automated systems to track down known (and possibly exploited) vulnerabilities. In the heart of these systems is an old and somewhat messy system of identifiers, reports and actors that I personally have no full control over who they are and what their agenda really is.

@bagder has a lot to say about CVSS...

I think it would be interesting to focus on this pot of abbreviations and highlight the good, the bad and the ugly. What's stinking and what's shimmering like gold?

And what's the way forward?