Shit, I think the best way to fight this is to file bogus CVEs against propertiary software vendors. You'll see the industry demand CVEs be fixed within a month.
You can after-all, file CVEs anonymously. It takes no effort to stand up a fake "research firm", or two, or three doing so.
Bonus points if the CVEs are against all the shitty cybersec scan tools.
You can file CVEs anonymously, but CNA don't have to assign a CVE number if they consider submission bogus. Depending on the CNA they may also verify the submission themselves or contact the vendor before assignment (usually vendor has to confirm the vulnerability before the publication, often CVE publication date is decided together with the vendor if the vulnerability is not already public).
Of course there are shitty CNAs that don't care. But honestly CVEs are a useful tool for communication, people (both security people and non-security people) should stop obsessing over them.
So what kind of good outcome you propose? If I correctly understand what you are talking about:
- demand open source projects to fix all CVEs within short fixed time AND all projects integrate all upstream and dependency changes almost immedeately (or else, maintain array of older versions that are still used by someone)
- demand proprietary software vendors to avoid using any open source project that does not provide the above, and in a short, fixed time switch from using any such dependency that has ceased providing these guarantees (e.g. maintainer quit) to another one that does.
which still leaves you with the risk of breaking stuff on upgrade, because now your product is basically baby debian sid, because you must pull newest versions all the time, and cannot stay on a stable version (that will not get patches)
You can after-all, file CVEs anonymously. It takes no effort to stand up a fake "research firm", or two, or three doing so.
Bonus points if the CVEs are against all the shitty cybersec scan tools.