Sounds like a cushy job for three-letter-agency employees, block the flaws your adversaries add and go soft on the ones your own agency added, or at least slow down the process of catching it.
If transparency were taken seriously, that wouldn't be an easy task. And, if it were multi-state, either via multiple states having such an organization or via a collaboration of states and organizations who don't all agree about protecting backdoors for the FBI/CIA/whatever.
>> It’s an organization created by a national government.
> Why? What about this requires the power of "government?"
Budget mostly. I don't think the power of government is strictly required. There are some private organizations which try to take care of the commons (Hiya, Mozilla!), but it's still by and far had to fund. Why not use public funding for this?
> Contributor agreements are about to get way more parsimonious and annoying.
Why? I don't think the project necessarily needs to be owned by the organization, right? In which case, nothing changes to the contribution model.
> Nation states use software and knowledge of zero days to commit espionage against each other. He can't be serious with this.
That's true, but it's not as if there was no tension there. Significant backdoors could have impacts on the economy of some nations which are therefore incentivized to keep things running smoothly. You can play offense and defense at the same time.
What would motivate its existence if not government?
Google has Project Zero, but it's quite limited in scope, mostly focusing on things in Google's supply chain. What other evidence is there corporations will fund the scale and scope needed to secure the whole ecosystem (that everyone depends on at this point, Open Source won)?
Lots of the security-related organizations that currently exist merely find and report exploits, often even asking for compensation from the maintainer of the software for reporting it (even if it's a bullshit report: https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...). Putting more work on volunteers isn't a reasonable ask.
> less than you’d make at Google or Facebook, but a decent civil-service salary.
Wait, which country has that? It's a running joke here in Germany that every entry level developer job pays about as much as doing anything IT-related at the state/communal level.
Oh wait, maybe it's because it's IT and not servicing fax machines.
*disclaimer: FAANG levels of pay are relatively rare here, I'd say developers in general make less than 100k. For every civic-service position I have ever looked up randomly it's more like capped at 60-80k at the team lead/middle management level.
