‘Last year, we asked the public for their views on smart products in a series of workshops. People shared concerns that products collect too much personal information, and said that they feel powerless to control how their data is used and shared’

Thank you to these people!

I’m checking this out!

There is some distribution of effort/expertise at least:

When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/