diff --git a/_posts/2016-05-04-The_Myth_of_Vulnerability_Management.markdown b/_posts/2016-05-04-The_Myth_of_Vulnerability_Management.markdown
index a1b767f..bcb9c62 100644
--- a/_posts/2016-05-04-The_Myth_of_Vulnerability_Management.markdown
+++ b/_posts/2016-05-04-The_Myth_of_Vulnerability_Management.markdown
@@ -61,4 +61,13 @@ Linux distributions (like Debian or Ubuntu) should introduce the possibility to
 
 CPE references in vulnerable_configuration (in CVEs) tend to include the vulnerable operating system but not the vulnerable software itself. cpe:/a: is not always defined and only the vulnerable operating systems are mentioned. There are many potential improvements but the CPE management could be slightly improved with a collaborative approach to add or updates CPE entries.
 
+Maybe software vendors (including free software authors and proprietary vendors) should include a list of CPE describing the software included in their distributions, appliance, IoT, mobile phone... to support the work of people and organization who try to do vulnerability management.
+
+## References
+
+- [cve-search project](https://github.com/cve-search/)
+- [Debian Popularity Contest](http://popcon.debian.org/)
+- [Add Common Platform Enumerator information to package meta information](https://wiki.debian.org/CPEtagPackagesDep) - time to restart this proposal...
+
+
 [^1]: CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. [https://nvd.nist.gov/cpe.cfm](https://nvd.nist.gov/cpe.cfm)