Discussion: define policy around CVE ID transfers

[mprpic]

Right now, any CNA can choose to use the PUT /cve-id/{id}?org={cna} endpoint to transfer the ownership of a CVE ID (and its associated record if one exists) to any other CNA. This is useful in cases when a CVE was assigned by a CNA with an overlapping scope to another CNA and later transferred on a mutual agreement of those CNA.

This issue serves as a discussion point to define when transfer of CVE IDs should be allowed, whether a mechanism should exists that enforces an agreement of both parties on a transfer and what the mechanics of that could look like, and what side effects CVE ID transfers have on the underlying data.

See also related issue that sparked this discussion: #1479.