VulnCon 2025: NVD Scraps Industry Consortium Plan, Raising Questions About Reform

At VulnCon 2025, NVD program manager Tanya Brewer and NIST division manager Matthew Scholl delivered a long-awaited update on the status and future of the National Vulnerability Database (NVD) today. The talk came just days after the NVD quietly reclassified tens of thousands of CVEs as “Deferred”, signaling its inability to keep up with growing disclosure volume.

Their virtual session — held in a packed ballroom but streamed remotely — outlined recent recovery efforts, upcoming technical improvements, and a shift in strategy after a tumultuous year. But the format and content of the presentation left some attendees underwhelmed.

“The session is virtual? (Weird, since I saw Tanya at the event.) And only 30 minutes long (including Q&A),” security consultant Jeroen Braak commented on LinkedIn. “For a community that’s been raising valid concerns and waiting for answers, this feels like a missed opportunity… it could further reinforce the perception of [NVD’s] ongoing decline.”

Rebuilding After the 2023 Backlog Crisis#

Brewer reiterated that the NVD is a NIST-managed effort, not a CISA program, and remains a top priority within the Department of Commerce. After the now-infamous 2023 processing pause, NIST rebuilt its enrichment and development teams from scratch, an effort that Brewer likened to onboarding an entirely new software org. While processing rates have improved, a 32% spike in incoming CVEs in 2024 has kept the backlog growing.

To help accelerate progress, NVD will begin “gap filling”—accepting CNA-submitted CVSS and CWE data without revalidating it, at least temporarily. This is intended to reduce bottlenecks and push more records through, though it raises questions about long-term data quality and consistency.

NVD Abandons Consortium Plan#

One of the biggest surprises was what wasn't discussed in depth. Last year at VulnCon, NIST unveiled plans to form a formal industry consortium via Cooperative Research and Development Agreements (CRADAs) to help guide NVD's future. This year's presentation confirmed that the consortium plan has been quietly scrapped.

Scholl explained that legal and resource burdens made the CRADA structure “too heavyweight” and that NIST would instead rely on more “informal” collaboration through workshops and one-on-one engagement. While this may offer more flexibility, it represents a clear retreat from the more ambitious governance reforms previously promised.

Critics have taken note. Vulnerability historian Brian Martin pointed out that dropping the consortium plan undercuts industry’s ability to help fix long-standing problems with the NVD’s processes, structure, and transparency. The result, he suggests, is a status quo in which meaningful collaboration is harder, not easier.

"There are specific questions that MUST BE ASKED, and most importantly, ANSWERED by Brewer," Martin commented on LinkedIn. "The entire world deserves those answers, and not just around 'the state of NVD.' We know the state; it is screwed in colossal ways. More important is to know why we should believe her talk and answers this time around, when we were told the backlog would be cleared by Oct, 2024, and it has only gotten much, much worse."

Roadmap Highlights: Automation, CPE, and UI Refresh#

Despite the governance shift, NIST shared a number of technical initiatives in the pipeline:

• ADP integration: NVD now ingests data from all Authorized Data Publishers, including CISA, via revamped tooling.
• Search & API improvements: A new search interface and improved APIs are expected in the coming months.
• CPE overhaul: NIST will launch a community-driven update to the CPE specification later this year.
• Enrichment automation: Pilot tools are in development for automating Linux kernel CVE enrichment, with research into machine learning and AI-backed methods.
• External CPE console: A new tool will eventually allow CNAs and vendors to manage their own CPE entries directly.

A Split Ecosystem#

Attendees raised longstanding concerns about the fractured nature of vulnerability data across the NVD and CISA’s ADP ecosystem. Brewer and Scholl acknowledged the duplication and confusion but emphasized that operational and governance challenges prevent a simple unification.

“It’s not as easy as flipping a switch,” Scholl said, pointing to deep-rooted issues around authority, data stewardship, and stakeholder requirements. One CDE Board member at the session pushed back, saying NVD data still isn’t current or open enough to justify ADP status, a clear sign of unresolved tension.

While NIST’s presentation aimed to demonstrate stability and progress, some in the community walked away with a different impression. The short, virtual format left many questions unanswered. The abandonment of a formal consortium process, once touted as a major evolution in NVD governance, raises doubts about how much real change is coming and how open the process will be.