Comment by cdirkx
7 hours ago
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
If something like this had been implemented 20 years ago, we'd probably be exactly where we are now. What's the point?