Does it have to be a government? Why not a third party non-profit? The white hat gets shielded, and the non-profit has credible lawyers which makes suing them harder than individuals.

The idea is to make it easier to fix the vulnerability than to sue to shut people up.

For credit assignment, the person could direct people to the non profit’s website which would confirm discovery by CVE without exposing too many details that would allow the company to come after the individual.

This business of going to the company directly and hoping they don’t sue you is bananas in my opinion.