Perhaps we should look at if a similar, distributed model for vulnerability data would work more broadly for CVEs?

This is rather disappointing. Luckily the bulk of OSV.dev isn't directly impacted. We have a distributed database model where OSV feeds are directly pulled from upstream sources directly like GitHub, Canonical, PSF and others without requiring a centralized authority to be in the middle.