NIST’s National Vulnerability Database (NVD) has stopped enriching CVE’s, leaving the security community without metadata on 90% of records for the past month. CVE enrichment is the process of adding valuable details and context to a CVE record in the NVD. This additional information is crucial for security professionals to understand the severity and exploitability of a vulnerability, allowing them to prioritize patching and mitigation efforts.
The NVD has added this data to vulnerabilities that have been assigned a CVE ID for the past 19 years but has suddenly stopped doing so, and security professionals are beginning to raise concerns about this critical gap in metadata.
For the past month, the NVD has had a notice published on the website, which offers little information about what is happening behind the scenes:
NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.
An additional paragraph on the Program Transition Announcement page, published on February 13, 2024, requests that the public not contact NIST regarding when this matter will be resolved:
Please refrain from requesting timelines on resolution, we will notify all users through the various channels available when we have information to share on the topic.
NIST’s Lack of Transparency Fuels Speculation#
These puzzling, opaque notices from NIST are fueling speculation in the cybersecurity community. The decision to halt CVE enrichment impacts countless organizations and deserves a more open and informative approach from its custodians. Stopping a service that underpins critical infrastructure, even temporarily, may have far-reaching implications for industries worldwide.
In an episode titled “What’s going on at NVD,” the hosts of the Open Source Security podcast, Josh Bressers and Kurt Seifried, discussed how unusual it is for a government agency to give a notice like this.
“This is like a restaurant saying ‘We’re closed for ‘renovations,’ It’s totally not the health department shutting us down,’” Seifried said.
They likened the NVD to plumbing and electrical standards, a widely used resource that's nearly invisible and taken for granted, yet imperative to avoid industry chaos.
Vendors and organizations that rely on the NVD for vulnerability data now have severe gaps on vulnerabilities that have been assigned a CVE ID within roughly the last 30 days, leaving them with limited information and more manual research required to figure out what software is affected and in need of remediation, as well as how to prioritize these vulnerabilities.
“Whether or not a consortium appears to take over this work, if you consume CVE data you need to pay attention and start thinking about an alternate plan,” Seifried said.
The NVD is the U.S. government’s repository of standards based vulnerability management data, but it relies on several organizations that work together to enable security vendors to automate vulnerability management, security measurement, and compliance. The database is maintained by the MITRE corporation and sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
The U.S. government has proposed a massive budget increase for CISA for 2025, leading Josh Bressers to speculate that perhaps CISA will take over maintaining the NVD.
Bressers also contends that an open source-like model is the only way forward - “it’s the only thing that scales,” for addressing the ever-growing volume of CVE’s:
We need to do things differently. If we try to keep doing it the way it’s been done, we’re going to have the same problems. This is always one of the challenges for new things is expecting the same people to do something in a different way generally doesn’t happen. This is where I think we need a very open source like model where you have many people who can come and sit at the table and work on this stuff. When you restrict something like this to a small group of insiders, it can’t change and grow.
Change is coming, whether through a new consortium or some other means, though it may not be welcome for companies that have made selling vulnerability data their bread and butter.
“The people who consume this data, especially at scale, do not want to have to make significant changes, it’s very risky and costly,” Seifried said.
The vast majority of traditional vulnerability scanners rely heavily on data from the NVD and make millions of dollars reselling that data in their products. These automated scanners may no longer be as effective in delivering timely vulnerability data, which leaves many companies vulnerable to security breaches and critical systems exposed.
“We don’t know what’s coming next, but it’s going to be a wild ride,” Bressers said.
Chris Hughes, president of Aquia, spoke to Infosecurity Magazine about other possible reasons NVD has temporarily halted CVE enrichment.
“Another useful note is that there are folks known as ‘the SBOM Forum’ currently advocating for the NVD to adopt Package URLs (PURLs) as well, given the pervasive use of software packages and open source software (OSS), but whether that materializes is still to be determined,” Hughes said.
The temporary disruption of metadata from NIST may be solved by the reorganization of the NVD with the proposed consortium, but the security community may be forced to explore alternative data sources in the meantime. In the absence of more communication from NIST, organizations should prepare for a potential overhaul of how they identify and prioritize vulnerabilities, as this situation has raised concerns about the long-term viability of traditional vulnerability management tools.