· Cybersecurity
The NVD Is Not Broken — It Is Architecturally Obsolete
On May 26, 2026, the U.S. Department of Commerce Inspector General published a report that confirms what the security community had been flagging for two years: the National Vulnerability Database has stopped being the authoritative source of vulnerability data that underpinned twenty years of vulnerability management practice. The number that matters from the report is not the 27,000-vulnerability backlog. It is the 12%. Twelve percent was the rate of agreement on CVSS severity among independent evaluators inside the OIG itself, testing the same set of vulnerabilities. This is not marginal discrepancy. This is a measure the entire cybersecurity ecosystem has treated as objective for two decades, and which behaves like subjective assessment under the U.S. federal government’s own internal testing.