I work for a company and came across a vendor product that stores highly sensitive data and provides access to multiple companies. I discovered a security vulnerability in the vendor’s product, discussed it with them, and they acknowledged the issue. However, they mentioned that a complete fix would require changes from their customers as well, making it a complex solution.
My vulnerability disclosure included a 30-day confidentiality period, so the vendor agreed to notify affected customers and publish the issue in their security bulletin. However, they refused to file a CVE, as they don’t want global awareness of the issue. Since my company is not their customer and also not their CNA, I’m unsure how to proceed with publishing a CVE. Raising a CVE would help spread awareness among users and potential customers, especially given the sensitive data the vendor handles. How can I find a way to publish a CVE in this situation? Any advice would be greatly appreciated.