@gregkh actually 3000 is not a lot. I’m looking at the data and there’s some interesting trends with other CNAs.
There’s also also two CVE ecosystems now: the open source and the closed source. Most People are used to dealing with the closed source involves applying patches, made available by the vendor products that they have deployed.
But now they’re having to deal with the open source, and they have to do their own homework as it were, figuring out if they use this source in anything ( they likely have because of dependency chains), and remediating it on their own.