There are going to be all kinds of messed up incentives if this is funded from industry.

True, although Google's Project Zero seems to be run pretty well.

Different goals, not cve related.

And how does that relate to this exactly?

Like what?

No, "the industry" is all of us alive in the 21st century who depend on software to make material decisions and to be resilient to attacks and tampering. We were all funding it, and now surely we will see some big tech company now assume responsibility from the federal government (please god don't let it be Oracle...)

so "all" should pay, not only US taxpayers.

That would be an improvement. Perhaps the UN should fund it.

Don't open source developers and users of their software also benefit from the CVE database?

If it were privately funded, what incentive would these private companies have to track bugs for these open source projects that don't make money?

Because secure systems benefit the public generally, not just the corporations that make a profit operating those systems.

The industry won’t want to fund it. It’ll want to profit from it.

The insane number of downvotes you’re getting for saying basic common sense stuff, it’s why we should push for stricter political rules here in HN.

You didn’t say something wrong or controversial, just an opinion. Some ideologies love to pay things with other people’s wallets, and they’ll do whatever they can to pursue this.

Especially the L guy who downvoted this after 10 seconds. get a life

So you trust industry now?

Same question would be for government funded agencies.

No, because the gov funded agencies don't have a personal stake in the outcome.

That's why industry regulating itself doesn't work, and why government regulations exist.