I frequently grump about what the #CVE system has become in practice. Folks may think that I’m not a proponent of the program. That’s not true at all. I’m an advocate for it, and for all those who pour their time and talent into it (often voluntarily).

But, IMO it is an overstatement to say that a CVE is a critical element in coordinating response to emerging vulnerabilities like heartbleed or log4shell. Embargoed critical vulns are rarely identified with CVEs among defenders.