The Collapse of Trust: Rethinking Cybersecurity's Public-Private Divide in the Wake of the NVD Crisis

The lights nearly went out on America's cybersecurity infrastructure this week. And it wasn’t the first time.

On April 15th, MITRE, the quasi-governmental, not-for-profit organization that manages the National Vulnerability Database (NVD), quietly announced they would be "going dark" due to a lapsed contract with the federal government. Within 24 hours, CISA scrambled to find emergency funding. Crisis averted. Business as usual?

Except it's not business as usual. And we shouldn't pretend it is.

Why the NVD Breakdown Isn’t a Surprise.

If you’ve been in this space for a while, you’ve felt the cracks.

The NVD hasn’t been healthy for months. For over a year, we’ve seen the analysis pipeline slow dramatically. Vulnerabilities were still being published, but without the enrichment data that makes them usable. The government cited staffing issues. Budget constraints. Bureaucratic limitations. All valid. All predictable.

The NVD, like much of our cybersecurity infrastructure, lives inside a fragile, aging system built on public-private “partnerships” that no longer scale. It’s funded by the government, run by a private nonprofit (MITRE in this case), and increasingly used by companies who treat it like a free utility.

Until it breaks. Then everyone remembers how important it was.

I’ve worked in regulated industries. I’ve worked with the FDA. I know what good public oversight can look like. But what we have here? This is not that.

When one expiring contract threatens the global vulnerability ecosystem, we don’t have a policy issue—we have an architectural flaw.

The Real Problem Isn’t Just MITRE. It’s Us.

This isn’t just about MITRE or the NVD. It’s about a bigger issue: our industry has outsourced far too much of our cybersecurity infrastructure to a federal government that’s underfunded, understaffed, and increasingly politicized.

And the private sector—while benefiting enormously—has largely been content to stay on the sidelines.

What this slow-motion collapse of the NVD has really revealed is deep-seated issues in how we approach cybersecurity at a national - and international - level. It's a reflection of a system that's no longer fit for purpose in our rapidly evolving digital landscape.

The Triple Threat Undermining U.S. Cyber Leadership

The NVD crisis isn't happening in isolation. It's part of a broader deterioration of U.S. cybersecurity infrastructure across three critical dimensions:

1. Brain Drain at Federal Agencies

We're seeing layoffs across critical agencies like CISA, and even more worryingly, voluntary departures of key personnel. The recent mass resignation from the Pentagon's Defense Innovation Unit is just one high-profile example of this trend.

Why is this happening? At least in part, because the government can't compete with private sector salaries due to statutory limits. When I can offer a higher salary to an engineering graduate than what's available for senior government cybersecurity roles, we have a serious problem.

2. The Politicization of Cybersecurity

Perhaps most disturbing is how cybersecurity has become politically weaponized. Consider Chris Krebs, the first head of CISA appointed by President Trump in his first term - was recently targeted by an executive order after confirming the security of the 2020 election.

Whatever your political affiliation, nobody wants to risk being persecuted for doing their job.

3. Public-Private Partnership Fatigue

The current model demands the government lead while industry follows, yet the most dependent and capable stakeholders- private companies - remain passive beneficiaries.

While the beneficiaries of the NVD and other programs are government and industry alike, the people with the most skin in the game are private. We build billion-dollar platforms atop a database that depends on the federal procurement calendar.

When federal institutions can’t keep the lights on - or get drowned in political crossfire - critical systems like the NVD become collateral damage.

The Leadership Vacuum

Perhaps most telling in this entire crisis is the silence from those with the most resources to address it. Where is Google, Microsoft, and Amazon?

You also don't see the government-associated think tanks weighing in, because everybody knows the government isn't going to solve this problem.

We're at a universal low point in public faith in government institutions. But equally concerning is that leadership isn't emerging from the private sector either. The voices raising alarms are predominantly from mid-size companies, startups, and individuals—not from the tech giants who have the resources and influence to drive meaningful change.

What We Need to Lean Into is Self Organization

Here’s what I believe: the private sector needs to stop waiting for the government to get its act together. It’s time to self-organize.

I’m talking about two major shifts:

1. Build a Private, Globally Funded Vulnerability Infrastructure

I think it's high time to take the whole CVE idea, turn it into a not-for-profit foundation, not another not-for-profit corporation. Right along the lines of the Linux Foundation, where people are elected, and funded by predominantly the private industries that benefit.

But we need support from big tech. If you’re one of the “big guys,” here's the ROI for funding and leading a global vulnerability intelligence foundation:

• You build trust with regulators and customers by stepping into a leadership vacuum.

• You shape the standards before governments impose them.

• You ensure reliability in the infrastructure your own teams depend on.

• You future-proof your business from compliance chaos and geopolitical fragmentation.

And the cost? For these companies, it's a rounding error. A $50 million-a-year nonprofit with real staff, modern infrastructure, and a globally inclusive charter could replace, and improve upon, the NVD tomorrow.

2. Professionalize the Cybersecurity Field

Next, we need to professionalize cybersecurity. What the hell is a CISO? There’s no standard definition, no required credentialing, no professional accountability.

This isn't some radical libertarian fantasy. It's how many critical professions already function

Nobody hires a CFO who’s not a CPA. Nobody lets a doctor operate without accreditation. You can’t practice law without being a member of a state Bar. Why are we treating cybersecurity—something that protects our economy, our infrastructure, our safety—like it’s the Wild West?

We need a self-regulating professional body. Something like the American Medical Association or the bar association for attorneys. A place where standards are created, upheld, and enforced by the community itself, not handed down inconsistently from regulatory bodies playing catch-up.

Why Government Isn’t the Answer Here

I’m not anti-government. I’ve worked in regulated industries, including medical devices. I understand the value of standards, audit trails, oversight.

But the government works best when things move slowly. That’s fine for cars and medicine. It’s lethal for cybersecurity.

We’re moving too fast for the traditional model. New threats emerge daily. Zero-days get exploited within hours. The systems and tools we rely on can’t afford to wait six months for bureaucratic reviews.

Cybersecurity needs to be agile. And the government just isn’t built that way.

From National to Global

Another crucial shift must happen: moving from national to global frameworks. The "N" in NVD stands for "National," yet cyber threats don't respect borders.

Cybersecurity is not inherently nationalistic. There's no reason in the world we can't partner with people like Europe and build a more international database. The fact of the matter is most of the free world uses the NVD anyway, but it is causing issues for international users, being a very American and American-led organization.

A globally-focused, industry-led foundation could create more resilient infrastructure for tracking vulnerabilities while removing the political constraints of a nationally-bound system.

What Does This Mean For You Today?

I get it—most of us aren’t sitting on $50 million and a board seat at AWS. But we’re not powerless.

You need to have somebody like Mend. You need to have somebody actually providing this data for you because we supplement it, we add our own research, we clean it up.

If you’re a practitioner, start here:

• Don’t rely solely on the NVD. Use platforms that provide enriched, exploit-aware intelligence. At Mend, we combine public CVEs with our own research, reachability analysis, and real-world exploit data. We think we do this the best, but we’re at a point where you simply need to be doing something else whether it’s with us or not.

• Talk to your vendors. Ask what they’re doing to support better vulnerability intelligence. Push them to contribute, not just consume.

• Advocate inside your company. Raise this issue at exec meetings. Challenge your leadership to support standards, foundations, and funding models that work.

• Support self-regulation. We need certification. We need accountability. We need to professionalize this industry like every other critical function already has.

Because if we don’t, the next collapse won’t come with a warning. And there might not be a 24-hour fix.

The Cost of Inaction

If we continue with the status quo, the consequences extend far beyond occasional funding scares.

First, there's the immediate security risk.

When vulnerability data becomes delayed, incomplete, or unreliable, organizations make security decisions based on partial information. This creates shadow vulnerabilities—security gaps that exist but remain invisible until exploited.

Second, there's the competitive disadvantage globally.

While the U.S. cybersecurity apparatus struggles with funding and political interference, other nations are building their capabilities. China's vulnerability database and research programs operate with substantial government backing. The EU's cybersecurity framework has been strengthened through consistent funding and coordination.

Third, there's the talent exodus.

We're already seeing a brain drain from federal agencies. Without structural change, this will accelerate, creating an expertise vacuum precisely when threats are escalating.

The worst-case scenario?

A major breach or infrastructure attack occurs, and our response is hampered by fragmented data, disjointed communication channels, and understaffed agencies. By the time emergency funding materializes, the damage would be done.

Learning from History

This wouldn't be the first successful transition from government to industry leadership. The Internet Corporation for Assigned Names and Numbers (ICANN) began as a U.S. government contract but successfully transitioned to a multi-stakeholder nonprofit model. The Linux Foundation has demonstrated how competing companies can collaborate on shared infrastructure. Even in cybersecurity, the Forum of Incident Response and Security Teams (FIRST) has shown how international coordination can work without government centralization.

What You Can Do

If you're reading this, you likely have a stake in this future. Here are concrete steps you can take:

1. For Security Leaders: Start diversifying your vulnerability intelligence sources beyond the NVD. Push your vendors to explain how they supplement government data.

2. For Technology Executives: Advocate for your company to join or support emerging industry initiatives like OpenSSF or push for new ones focused on vulnerability data.

3. For Security Practitioners: Get involved in professional organizations pushing for accreditation and standards. The more professionals demand better structures, the faster change will come.

4. For Everyone: Share this message. The biggest barrier to change is the comfortable inertia of "good enough." Question assumptions about government-led security infrastructure.

Why I’m Weirdly Optimistic

Despite all this, I’m not nihilistic.

Yes, the government isn’t going to fix this. But the industry might. Eventually, someone - probably one of the hyperscalers - is going to step up and lead. Because the cost of inaction is becoming too high.

And I think professional accreditation is inevitable. Maybe not this year. Maybe not even next. But we’re headed there. Because we’ll be forced to. Regulators will demand it, boards will require it, and practitioners will finally insist on it.

The question isn’t if we take back control of our own destiny. It’s when—and who will lead.

— Jeff Martin, VP of Product at Mend.io