I'd rather see this money used for increasing software security through all layers. [1][2]
See, all these vulnerabilities started as major or minor bugs. And these originate from somewhere. While 100% bugfree software may be too hard to be worth the effort in most applications, there is a huge difference between the ideal state "the first exploit hits you hard, and after two or three more severe bugs in your software, you are out of business." Instead, we have "you can 'loose' huge amounts of data every few months and are still in business." And no regulator, no expert in a law suite, actually nobody, wants to have a look at your source code anyway. Even if you don't hide it through SaaS or other means, almost nobody asks for the source. [3]
Instead, public money is used to declare "cyberwar" and to buy zerodays - which creates an incentive for people to keep their findings private, instead of reporting early on. And more imporantly, these create an incentive to put in such bugs in the first place. [4]
[2] audits, bug bounties (every bug, not just obviously-security-related bugs), better static analysis tooling and improving type systems and programming languages as a whole, donate to projects like OpenBSD and Mozilla / Rust, etc.
[3] ... unless it is about copyright. But I've never seen such a request in a software-security related incident.
[4] An attacker doesn't even need to establish a full-blown backdoor. They can just contribute some code with a missing or slightly-wrong check, and see how to exploit it later on, after enough time has passed.
We should also invest more in changing "100% bugfree software may be too hard to be worth the effort in most applications". Ultimately, everything else is just stop gap.
My first reaction was: This is insane. Nobody is perfect. Let's try to reduce the bug rate to 1 bug / 100,000 LOC and we have achieved more than we can hope for.
However, thinking more about it, if you have a system with 1 million LOC and reduced your bug rate to 1 / 100,000 LOC, this means you need to fix 10 more bugs and you are 100% bug free. This doesn't sound infeasible at all. (ALthough it may be hard.)
many companies have bug bounty programs where they will pay people who discover bugs.
I've read criticism of Pwn2Own that argues that some people will find an exploit and save it for the competition rather than disclosing it to the company. This would give time for the exploit to be discovered by others who would use it.
They are basically already funded by public money, problem is just that the vulnerabilities found won't make it back to the vendors until they are burned.
