yeah but you can't fight human psychology. If I say CVE-2014-0160, only a handful of people will know what I mean, but if I say heartbleed, there's a lot more recognition. Until the singularity happens and we're post-scarcity, people need money and recognition helps get more of that, however indirectly.
let's go further .. domain name means visibility and costs money.. so whoever builds and pays for "cipherleaks dot com" intends to make a business out of it..
Let's imagine a worst case scenario, where thousands of highly skilled hours are put into building common infrastructure ("barn raising") among capable people with implied social promises but not cash, and then a second wave ("cattle ranchers") comes in and starts collecting money for CVEs and pushing out any claims for compensation by authors..
this scenario is playing out in the EU (CRA laws) or de-facto in the USA (VC startups) right now.. with the monetization of CVEs , but foot-dragging and long speeches for compensation of OSS engineering. make sense?