This would only work if governments and companies cared about fixing issues.

Also, it would prevent researchers from gaining public credit and reputation for their work. This seems to be a big motivator for many.

If the government wasn't so famous for also locking people up that reported security issues I might agree, but boy they are actually worse.

Right now the climate in the world is whistleblowers get their careers and livihoods ended. This has been going on for quite a while.

The only practical advice is ignore it exists, refuse to ever admit to having found a problem and move on. Leave zero paper trail or evidence. It sucks but its career ending to find these things and report them.

That’s almost what we already have with the CVE system, just without the legal protections. You report the vulnerability to the NSA, let them have their fun with it, then a fix is coordinated to be released much further down the line. Personally I don’t think it’s the best idea in the world, and entrenching it further seems like a net negative.

Does it have to be a government? Why not a third party non-profit? The white hat gets shielded, and the non-profit has credible lawyers which makes suing them harder than individuals.

The idea is to make it easier to fix the vulnerability than to sue to shut people up.

For credit assignment, the person could direct people to the non profit’s website which would confirm discovery by CVE without exposing too many details that would allow the company to come after the individual.

This business of going to the company directly and hoping they don’t sue you is bananas in my opinion.