The US has made at least hundreds of billions of dollars from it's tech companies and has had a dominance over global tech for a long time. The tech industry has brought a crazy amount of money and power to the US so it makes sense the US puts extra effort to support it.
The US isn't supporting it out of charity, it's good for US businesses to have someone coordinating this for everyone. Why would we want to rely on other countries to be supporting our tech sector? At least now we are subject to only the capricious whims of our own government, as little comfort as that is right now (if another country was funding it we would be relying on the whims of a foreign government, which isn't ideal when tech is the golden goose of your modern economy).
The CVE program was started over 25 years ago. It is very reputable (until yesterday) and it was very much in the interest of the US to be seen as the stewards of this.
The funding requirements can't be that high and I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
Up until recently CVE was very centralized and only in the last few years have there been steps in more decentralization with CNAs taking more responsibility, Red Hat as a CNA of last-resort etc.
So, the cost of doing all of this work has already been shifted partially (!) away from the US but I have not seen any movement towards e.g. moving the program to a foundation which could have been done.
Personally I would conclude that it was the responsibility of the US to pay for this because they wanted to and it was in their best interest to control this program.
They have the chance to step up now. Every Comercial company that is supposedly so reliant on this for their very existence has the opportunity today. They can fund it.
What commercial company is going to "fund" this? It's such a strange idea, disconnected from the real world. You may as well say "companies can start doing road maintenance, as they are so reliant on them for their very existence."
And perhaps if there had been more than a days notice, some consortium could be pulled together, but who's going to pay? Why would private companies do this, how do they profit? CVE program was the roads that everybody could drive on.
The basic lack of understanding of how the world works is killing the US. Why do people think we have such a massive GDP? Where do people think that comes from? We've given control of everything in society over to our dumbest and greediest members that have no clue about how anything works.
The EU. They can have all the massive advantages that funding MITRE will give them. Why won't they step up to the plate? It's killing the EU and they have absolutely no idea how anything works. It's why they're a dying empire.
I will bet money that removing the cap from a bottle will be a hate crime in Europe before they start funding a institution like MITRE that actually functions.
I mention this in another comment. The infrastructure for an alternative is already partially in place.
In my opinion it's mostly the industry needing to adapt to a new setup that needs to happen. It was just "easy" to rely on what's already there. A lot of company policies need to be adapted etc.
Because, contrary to popular views, there is no "government of the world".
So, since the US government needed that (it provides security to US businesses), they organised and funded it (as everything else, with US taxpayers money, and savings from investors in US and abroad.)
Now, the US government decided to commit temporary-seppuku, so a number of things will happen:
* state-level government will use their local-taxpayer money to fund similar efforts (with duplication of effort), or share it with everyone
* another country or block of country will do it, and decide whether they want to "share". (I suppose Russia and China have more of an incentive to keep their CVE DB private, given their level of dis-integration with US economy ? EU maybe ?)
* an international, ad-hoc organisation is created to share the funding (something like NATO.) Multi-latteralism is not exactly in fashion this days, but if EU does it, it will be "international" by design since we're not really a federation ; so, states in "Southern Canada" are welcome to join.
* or none of that happens, the CVE db rots for a while, until a sufficiently embarrassing cybersecurity problem occurs, and the CVE db is deemed worthy of the "10% you need to bring back" by President Elon.
Pray your company, families and friends are never on the wrong side of the "reverse-Chersteron's fence".
It's a program the US government spun up to serve America's interests. Why would someone else pay for American interests?
Other countries have their own programs, some cooperating with the US, others separate. China has the CNNVD if you're interested in helping Chinese society safe. My government operates https://advisories.ncsc.nl/advisories to serve my country's interests.
Of course, the US is free to abandon their programme and rely on Chinese, Russian, and European vulnerability databases to keep their country safe. It does save them a couple of million after all!
Because USA was a superpower that can afford it easily. Taking the leadership in everything is quite cheap price to pay when the other end of the bargain is everyone else has to follow you.
Now of course USA is ceasing (voluntarily, by stripping down every international soft power effector in government) to be a superpower, to the great glee of dictators all around the world.
The "we can't afford being great" is a direct admission that USA is no longer a superpower. And is not going to become great again, just another nation again (at whims of China).
The nazis don't think that though, uh I mean conservatives. After they've burned down everything, they expect still to be a superpower somehow. Do they think they can just start a war with everyone who doesn't play ball? It's hard to comprehend what their rational is, if there is one.
Don't worry, that will also end soon. Regimes that require political subservience from universities, like the current US administration, inevitably result in poor research capabilities in the long run.
It's a near certitude that Russia and China each have databases of exploitable software errors and prize zero days.
It was to the advantage of the US and allies to coordinate and lead in tracking and fixing such errors.
Multiple countries, companies, and individuals contributed finding and fixing bugs.
The administrative task of keeping track was one part of a greater picture, a part that came with first to be advised and other perks.
It's not that the US had a responsibility to take on the lead admin task, more that in past times the US saw an advantage to being at the centre of global action.
This is just another part of increasing US isolationism.
Almost every other western country does fund their own databases, CVE was just significant because its the one central source of truth. its like a standard. Instead of having to coordinate with dozens of different registries every time you publish a vulnerability you just communicate with one instead.
Researchers also don't directly talk with MITRE they go through one of the intermediaries that assigns the number.
In public spaces like this, though on the face of it the argument might appear to be with the toddler, it's also about batting down the idiocy and not letting it swamp out basic common sense and reason.
Bluesky has a different tact that also works: block and hide and don't engage. However in forums like HN, where earnestness and questions are so prevalent, leaving these baiting questions and statements unanswered instead leaves them as bastions of the mind rot. Because these toddler-level arguments are being repeated daily through propaganda channels all over the internet, and if they are never answered, the constant swarm of propaganda takes in even more people.
I do sometimes wonder how different HN would be if it had "block". Mind you I think few people are getting their propaganda from here, it's more likely to be downstream of other well-poisoners.
I guess that’s why I don’t get all the knee-jerk “China will step in” comments. Even if they did people wouldn’t have the same trust levels as they did with the former USA.
I’d trust a European version a lot more.
China will be able to fill some voids but ideologically they’re not fit to fill them all.
