For most (but certainly not all) projects, you fill out a simple form [0]. I've done it before and it's fairly easy.
> and what software is covered by them?
All software is covered by someone, usually by the vendor themselves or MITRE.
> Can a CVE be issued in retrospect?
Absolutely, but it's fairly uncommon.
[0]: https://cveform.mitre.org/
For most (but certainly not all) projects, you fill out a simple form [0]. I've done it before and it's fairly easy.
> and what software is covered by them?
All software is covered by someone, usually by the vendor themselves or MITRE.
> Can a CVE be issued in retrospect?
Absolutely, but it's fairly uncommon.
[0]: https://cveform.mitre.org/