It could also be manipulated by someone who reports the dark patterns are inaccurate. If it were run by a single org or person, it could get sold to a company interested in gaming the ratings or used to bash things the owner doesn’t like. I’m not entirely sure what your point is. Every way to set this up is subject to bad actors. There are some checks and balances present in the website. Why are they inadequate and why should we not trust this site? Are you, perhaps, an industry dark pattern plant trying to get us to avoid something that could deter dark pattern usage?
The Security Online article only cites Margitelli’s post on the matter. My assumption has been the article used the post as its single source. On one hand, watching MS fuck shit up for years, I want to believe Margitelli. On the other hand, researchers using weird tools and uninterested in reality are why curl is now a CNA.
I’m personally frustrated with Margitelli’s post because it’s all about abandoning responsible disclosure globally rather than naming and shaming (Canonical? Red Hat? Both? Others? If it affects all GNU/Linux I’d expect every single distro maintainer to be named and shamed). Responsible disclosure is our best solution to make sure innocent bystanders don’t get caught in the crossfire. When specific entities don’t abide by responsible disclosure we lambast those specific entities not the entire process built to keep users safe.