What do you mean? A government service is a public service, by any conventional use of the term. Public/private is orthogonal to open source.

Community-maintained might be a better phrasing.

There's no particular reason a vulnerability database needs to be government-sponsored, and some compelling reasons why it shouldn't be "owned" by one government or another (one being guaranteed continuity even during seasons of change).