Common Vulnerabilities and Exploits - https://cve.mitre.org/. There are various aggregators of these. For *nix exploits, various distros will have bugs that (mostly) map to CVEs - e.g. Debian has DSAs.
From the site: "CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security."
Serious question: How worried should I be that my defacto, go-to database of software vulnerabilities is paid for by the United States Government? How independently run is it? Need I fret that vulnerabilities won't be publicized if they benefit government agencies?
They're not the gatekeepers of anything. Even if they didn't accept something, you could still post to http://seclists.org/fulldisclosure and everyone who cares would know about it. So there's no reason for them to hide/refuse any entries.
The culture of different government agencies varies widely. US-CERT is run by Carnegie Mellon University. US-CERT, incidentally is far older than the relatively new DHS. US-CERT, Mitre, and the rest are all about transparency and don't have motivation to hold onto really effective exploits.
However, if NSA discovers a ground-breaking exploit, and it's deemed low-risk to US systems, they'll probably keep it. But they certainly wouldn't disclose it to US-CERT or Mitre. Not to mention, since US-CERT and Mitre aren't in the intelligence community, they don't have a mechanism to keep information like that undisclosed.