NVD Remains Stalled on Enriching CVE's, Security Industry Criticizes NIST’s Consortium Plan

NIST has updated its NVD Program Announcement page this week with more information regarding the mounting concerns and delays in enrichment efforts. In mid-February the NVD halted CVE enrichment, the process of adding valuable details and context to a CVE record, like severity and exploitability, which help organizations prioritize patching and mitigation efforts.

NIST had advised of delays with a notice that it was “currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” These delays have left security vendors and organizations without metadata on the vast majority of CVE records.

The update published to the NVD website this week acknowledges the “growing backlog of vulnerabilities” and cites an increase in software and changes in interagency support as the reasons for the delayed analysis:

NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.

Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

We will provide more information as these plans develop. NIST is committed to its continued support and management of the NVD.

The latest update gives the impression that NVD’s CVE enrichment isn't returning anytime soon but last week at VulnCon, CyberScoop reports that NVD program manager Tanya Brewer said a notice will be published in the Federal Register in the next two weeks, announcing the process for forming an outside consortium to help improve the database.

She relayed a number of planned improvements in the next 1-5 years, including customizable alerts and new data types, partially automated analysis of CVEs, and a glossary of vulnerabilities.

Brewer told CyberScoop that the reduced activity at the NVD was a “long story” that amounts to “administrivia,” and attributed it to budget cuts, a team that hasn’t grown beyond 21 people since 2020, and the growing volume of data submitted.

Critics Not Satisfied with NIST’s Response to Concerns#

Brewer’s remarks at VulnCon were met with skepticism by some in the cybersecurity community. The lack of clarity regarding the abrupt challenges encountered in mid-February has left a gap in trust and communication. Tom Alrich, co-leader of the OWASP SBOM Forum, published a post on EnergyCentral’s Digital Utility Group forum criticizing NIST’s response.

“She didn’t explain what the problem was that came up in mid-February, although she said the NVD will explain it when the statement is approved (it sounds like that might be a couple of weeks),” Alrich said. “The fact that the problem appeared six weeks ago and still hasn’t been explained publicly doesn’t exactly fit that bill.”

Alrich also criticized the explanation that there was “some sort of ‘silly governmental problem,’ which everyone would think was ridiculous if they knew about it.

"Unfortunately, the people in the audience (I attended virtually) didn’t seem to be enjoying a hearty belly laugh with this statement. This incident – which is ongoing, of course – has caused real pain to real people worldwide. Moreover, by minimizing it like she did, she sent exactly the wrong message. People might have been comforted if they’d learned that what happened in February was an out-of-the-blue disaster that is unlikely to happen again. Instead, they heard it was something simple. That means it could easily happen again. Oops.”

Brewer emphasized that the NVD isn’t shutting down, as some had speculated, but Alrich reports someone from the audience pointed out that there are still ~4,000 CVE reports that have been filed but don’t appear in the NVD, a substantial increase in the organization’s normal backlog.

A group of two dozen security professionals wrote an open letter, urging members of the U.S. Congress to investigate the ongoing issues with the NVD and ensure NIST has the necessary resources to resume and improve normal operations. Its authors maintain that they are “deeply concerned with the loss of this functionality and the lack of transparent communication from NIST about this issue to the cybersecurity community and organizations that depend on it.”

The letter also suggests Congress consider moving NVD’s operations to CISA’s control and expresses concerns about the possibility of the NVD becoming a volunteer effort:

With the latest revelations at VulnCon, we question whether a consortium under NIST makes sense at all. Perhaps NVD should move to CISA and have a consortium under the JCDC which already exists. With the importance of NVD, it makes more sense to live under CISA whose primary goal is the security of our nation’s critical infrastructure. We request this plan be opened for public comment before it is implemented. We also want to ensure the maintenance and funding of the NVD does not become a volunteer effort.

The authors behind the open letter aim to publish it by April 5, 2024, which should roughly coincide with when NIST plans to publish a notice in the Federal Register about the process for forming an outside consortium. The NVD has not communicated about when it will resume enriching CVE’s.

In the meantime, security professionals are relying on other data sources and social media to prioritize vulnerabilities. Anchore, an SBOM-powered SCA platform, has launched an open source project they’re calling “NVD Data Overrides.”

“We're working on adding the same type of thing NVD used to do to the CVE data,” Anchor VP of Security Josh Bressers said on Mastodon. “The data is licensed CC0, anyone can use it for anything. The data repo currently has over 500 enriched IDs (there's a lot more to do, but this is how it starts).”

The project was created to provide additional data that is currently missing from the NVD, but it doesn’t provide severity information as only the NVD can supply NVD CVSS scores.

“The vulnerability world is now so big we need to cooperate the same way open source works,” Bressers said. “Nobody can do this alone anymore.”