NVD Update: Help Has Arrived

The National Vulnerability Database (NVD) serves as a critical resource for organizations worldwide, providing standardized information on known software vulnerabilities. Recent challenges have disrupted its operations, prompting concerns across the cybersecurity community. This update explores the issues faced by the NVD, the steps taken to address them, and the implications for stakeholders relying on this essential database.

Understanding the NVD’s Role

Managed by the National Institute of Standards and Technology (NIST), the NVD offers a comprehensive repository of vulnerability data, including Common Vulnerabilities and Exposures (CVEs), Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) information. This enriched data supports organizations in assessing and mitigating risks associated with software vulnerabilities.

The Recent Challenges

The NVD is off life support, but we wouldn’t say it’s healthy. It’s more like “undead.” While it has resumed processing CVEs, the backlog of unenriched entries remains substantial. NIST’s conservative goal of clearing the queue by September signals that full functionality may not return for several months.

This has been quite a saga, starting with the news that the NVD stopped most CVE enrichment (You can read about that here.) Then came a wave of public support for the NVD to get the funding it needs, as well as some news about how the NVD briefly stopped even entering CVEs to the database altogether. It ultimately caught up on CVEs, although the enrichment backlog continues).

Then there was the mystery about the unnamed agency that suddenly pulled funding from the NVD.  The anonymity led us to assume it must have been a secretive three-letter agency, like the CIA. However, it turns out it was a four-letter agency: the Cybersecurity & Infrastructure Security Agency, aka CISA. CISA had previously supported vulnerability coordination and disclosure efforts in collaboration with NIST. Its sudden funding withdrawal created a $3.7 million gap, which NIST had to fill using internal reallocations. CISA had previously supported vulnerability coordination and disclosure efforts in collaboration with NIST. Its sudden funding withdrawal created a $3.7 million gap, which NIST had to fill using internal reallocations. Rich Press, director of media relations, at the National Institute of Standards and Technology (NIST) told Cybersecurity Dive that NIST filled the $3.7 million gap created when CISA pulled funding by reallocating internal funds. So, hey, that’s good.

NIST’s Intervention and Recovery Efforts

It appears that NIST has already begun spending that dough on some hired help to deal with the massive amount of incoming and backlogged CVEs. Reports are varied on how much the deal is worth, but Analygence reported that they were awarded a total contract of $125 million with NIST back in December. However, that figure includes a wide array of cybersecurity services unrelated to the NVD. The NVD-specific portion appears to be approximately $1.8 million—and only if the relevant work is extended through July 2025.

Some are still reporting that Analygence has a contract for $125 million over 5 years with NIST for work on the NVD specifically, but we find that doubtful. It doesn’t seem in line with NIST’s conservative announcement posted May 29th that the backlog would be all sewn up by the end of September. For $125 million we’d expect a shiny new, massively overhauled NVD, not one that’s promising to chug along as normal by the end of the year.

So, what does that mean for organizations trying to stay secure? Not much right now. You might be able to rely on the NVD in October, but for now you still need to draw your vulnerability data from multiple sources. Consider integrating feeds from GitHub Security Advisories, MITRE CVE, and commercial threat intelligence services. Tools that aggregate and enrich data across these sources can provide more consistent coverage during times of disruption.
As of [insert date if available], NIST has begun enriching a limited set of CVEs daily, though the pace remains slower than pre-disruption norms. The community continues to monitor whether contractor involvement will restore sustained operations. You can track the live enrichment activity via the NVD CVE download feed or real-time dashboards hosted by CISA and MITRE.

Implications for Organizations

The NVD’s temporary slowdown underscores the importance of diversified vulnerability intelligence sources. Organizations relying solely on the NVD may have faced delays in receiving critical vulnerability information. This situation highlights the need for integrating multiple data sources and maintaining proactive vulnerability management practices.

Leveraging Mend.io for Enhanced Vulnerability Management

Mend.io offers solutions to mitigate reliance on a single vulnerability database. By aggregating data from various sources, including the NVD, GitHub advisories, and other security feeds, Mend.io provides comprehensive vulnerability intelligence. Features such as automated dependency updates and real-time alerts enable organizations to respond swiftly to emerging threats.

For more information on Mend.io’s capabilities, visit the Mend.io AppSec Platform.

The NVD’s recent challenges serve as a reminder of the complexities involved in maintaining critical cybersecurity infrastructure. While recovery efforts are underway, organizations must adopt resilient strategies, incorporating multiple data sources and proactive tools to ensure robust vulnerability management. Continuous support and investment in resources like the NVD are essential to uphold the security of software ecosystems globally.

Manage open source application risk

Read more