Should the GSD allow private vulnerability identifiers in addition to public ones?

[kurtseifried]

Currently, we only assign GSD's for public issues.

Should we support assigning GSD ID's for private issues, e.g. some internal vendor database UJAF-2023-9289829 could also be GSD-2023-1234567890 for example.

Pros:
Private ID's exist, mapping them to a GSD gives people a chance to maybe say "hey this is a duplicate of X" or to enrich the GSD data in a way that other people an see

Cons:
Private ID's also encourage embargoes which are not ideal for most vulnerabilities.

I also had ChatGPT generate a list of pros and cons:

Pros of Allowing Private Vulnerability Identifiers for Private Vulnerabilities:

Encourages responsible disclosure: Providing private identifiers incentivizes organizations to report vulnerabilities privately, allowing them to work with vendors to patch issues before public disclosure.
Reduces risk of exploitation: Keeping vulnerability information private prevents malicious actors from exploiting the vulnerabilities before a fix is available.
Streamlined communication: Private identifiers allow for clear communication and tracking between vendors and researchers during the vulnerability remediation process.
Greater control for organizations: Companies can manage the disclosure process according to their own policies and risk assessments, allowing for greater control over vulnerability management.
Protects intellectual property: Companies can keep sensitive information and proprietary technology confidential by using private identifiers for vulnerabilities.
Incentivizes research: Private identifiers may encourage more security researchers to investigate and discover vulnerabilities, ultimately improving security.
Enables tailored response: Companies can develop and deploy custom solutions for vulnerabilities without publicly disclosing the issue.
Enhances collaboration: Private identifiers can foster collaboration between organizations and researchers to address vulnerabilities in a discreet and efficient manner.
Minimizes reputational damage: Companies can mitigate negative publicity by addressing vulnerabilities privately before they become public knowledge.
Helps prioritize vulnerabilities: The use of private vulnerability identifiers allows organizations to prioritize and address the most critical vulnerabilities before they become public.
Cons of Allowing Private Vulnerability Identifiers for Private Vulnerabilities:

Reduced transparency: Private identifiers can lead to less transparency about existing vulnerabilities, making it difficult for the broader community to assess risks and develop solutions.
Hinders community collaboration: Private vulnerabilities limit the ability of the security community to work together on finding and fixing issues.
Slower patch development: Private vulnerability identifiers may slow down the development of patches, as fewer people are aware of the issue and able to contribute to a solution.
Potentially unaddressed vulnerabilities: Without public disclosure, some vulnerabilities may never be fixed or patched, leaving systems at risk.
Inconsistent disclosure policies: Different organizations may have varying policies for disclosing private vulnerabilities, leading to confusion and inconsistencies in the security community.
Risk of information leakage: Despite being private, information about vulnerabilities may still be leaked, potentially leading to exploitation.
Centralization of vulnerability knowledge: Private vulnerability identifiers can result in a centralized repository of knowledge, potentially making it a target for hackers.
Potential for abuse: Organizations may use private vulnerability identifiers to hide security issues rather than addressing them in a timely manner.
Missed opportunities for learning: Keeping vulnerabilities private may limit opportunities for the broader security community to learn from and improve upon existing solutions.
Reduced trust: The use of private vulnerability identifiers can lead to reduced trust between organizations and the security community, as well as between organizations and their customers.