Every time this happens I think... you know what would make something more secure and responsive? If it was funded by the actual public and not governments. Direct funding and direct accountability. Or you know... capitalism. Freedom.

Not unlike Wikipedia.

Wikipedia is much worse though because it shows those horrendous begging ads and people fall for them, then through the power of cognitive dissonance they are forced to rationalize their donation and argue forever that Wikipedia is very very good.

As a long time security engineer, CVEs are completely mismanaged and create huge amounts of pointless toil for developers. To wit, there are entire companies that built their business on helping people “manage” vulnerabilities.

Getting a CVE published became some kind of resume / CV padding tactic a decade ago and the quality of the vulnerability information is commensurate with what you might expect.

One of the most valuable activities I perform as a security engineer is triaging “CVE vulnerabilities” and making sure they don’t distract people from shipping working code. Mostly that’s marking them as a false positive or not applicable to our use cases.

So that people can search and figure out if their own projects have vulnerabilities, you know to improve security. This is obvious.