That's a fair argument. But candidate numbers were abandandoned long before the current problem, back when there were only ~5000 CVE numbers assigned per year (vs. 52000+ for 2023). And more crucially, this review was done by the CVE Editorial Board, which is a small group of people who could vote for/against making it the "entry" status. That is clearly not scalable and I'm not proposing that. In fact, I believe there doesn't even need an actual vendor intervention to be "confirmed" in my scheme---the researcher should be able to attach a vendor response as an evidence in principle. (Of course such response can be forged, so there would have to be a proper process to counteract that.)