There seems to be little reason for the US government to
pay for this since it is vital information that a lot of
companies rely upon.
Some form of a foundation or NGO could be given a reasonable
endowment from the industry to operate the CVE program.
O am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.
Some form of a foundation or NGO could be given a reasonable endowment from the industry to operate the CVE program.
O am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.