I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
This is like, exactly the sort of thing that the public sector should be doing. There's no profit incentive for this to happen in the private sector.
I don't disagree with your overall sentiment re: unsustainable debt. But the answer must be reform and taking hard looks at the military budget, not just randomly cutting programs that you disagree with politically.
They are doing it, but there's no profit incentive. Github is a bit of a special case because of their commitment to OSS and the broader engineering community, but the moment a downturn occurs and MS takes a harder look at P&Ls, you better believe that's on the chopping block.
The public sector is exactly where you need things that are important to society but don't make money.
There's a profit incentive: GitHub sells its services. The free stuff is an advert.
At any rate, even if they give it away for altruistic reasons, Microsoft is a sustainable going concern that brings in more than it spends. It can afford charity. The US government isn't and can't.
> But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day.
I suppose more people would be more amenable to these wholesale cuts if the current administration weren't blowing through even more money than before [0]:
> The new Treasury Department data shows a deficit of $1.307 trillion for October through March, the first six months of the fiscal year 2025. And spending is $139 billion more in the first three months of 2025 compared to the same period last year, with borrowing over that period $41 billion higher.
We're currently fighting no wars and yet Trump is proposing a record $1 trillion defense budget [1]:
> “We’re going to be approving a budget, and I’m proud to say, actually, the biggest one we’ve ever done for the military,” he said. “$1 trillion. Nobody has seen anything like it.
And that's before proposed cuts to tax revenue [2]:
> Extending the expiring 2017 Tax Cuts and Jobs Act (TCJA) would decrease federal tax revenue by $4.5 trillion from 2025 through 2034. Long-run GDP would be 1.1 percent higher, offsetting $710 billion, or 16 percent, of the revenue losses.
So this whole "we're just imposing much needed austerity" to justify penny-wise-pound-foolish policies is kind of laughable when the proposed increase to our peacetime defense budget alone wipes out Elon's most recent estimate of DOGE's total savings [3].
Yes. The Republicans are not and never have been united around fiscal conservatism. Eliminate-the-deficit libertarians are one faction within the party but not the dominant one, and Trump doesn't come from it. Same with most right wing parties the world over: the bigger faction is usually one that likes both tax cuts and spending increases. That's why deficits are out of control across the west: between the tax-and-spend left and the don't-tax-but-spend right, the don't-tax-and-don't-spend contingent isn't big enough to outvote the others. Clinton was very unusual in this regard, perhaps a product of the short post-USSR consensus.
Elon is a libertarian and has been allowed to go do some spending cuts around the edges. This gets support from Republican members of Congress partly because the USG turns out to be spending a lot of money on highly partisan Democrat projects, but mostly because it's someone else doing the cutting and not them. Even if they know they should be doing it themselves they don't want the crazies trashing their cars, so if some outsider does it for them that's a deal they'll happily take whilst it lasts.
All that said, it's inevitable that the administration would be blowing through more money than before even with DOGE. It's the nature of debt that it compounds. The level of cuts required to even keep the deficit stable would be huge because interest payments are accelerating, and the cuts DOGE are allowed to make are small (even when they go further than they might technically be allowed).
Right now there's just no mainstream support in US politics for serious austerity. There never is in any country, but sometimes the public can be convinced to agree to some amount if politicians do a good job of communicating the deficit problem. The UK in 2010 is an example of that, where the Conservative/Lib Dem alliance was able to convince the public to vote for spending cuts (albeit not as deep as were actually required... but it tided the UK over until the economy started growing again).
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
https://fiscaldata.treasury.gov/americas-finance-guide/natio...
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
https://www.crfb.org/blogs/interest-costs-have-nearly-triple...
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.