• Home
  • Blog
  • NVD’s Backlog Triggers Public Response from Cybersec Leaders

NVD’s Backlog Triggers Public Response from Cybersec Leaders

NVD Backlog Triggers Cybersec Leader's Public Response
NVD Backlog Triggers Cybersec Leader's Public Response

Just a few weeks ago, we wrote about how the National Vulnerability Database (NVD) is seriously behind in enriching CVEs. On LinkedIn, Mastodon, and other social sites, the NVD’s mounting backlog and what should be done about it has become a hot topic of conversation within the cybersecurity community. 

It’s not hard to see why. From a U.S. perspective, the NVD is itself part of national infrastructure because its data is used to keep private and public sector software products secure – that alone makes it worthwhile for the government to provide the NVD with the funding, support, and expertise it needs. But a disruption to the NVD affects more than just U.S. citizens; the data provided by the NVD is a critical component of vulnerability detection and triaging for organizations across the planet. 

Not everyone may be equally affected by a lack of NVD data, but given the proliferation of open source code in modern applications, somewhere along every software supply chain someone is relying on the NVD. We’re all in this together.

The NVD’s backlog problem

The sad truth is that things have not been going well at the National Institute of Standards and Technology (NIST), the government organization in charge of the NVD, for a while now. A Washington Post article released early last month details the poor state of NIST’s infrastructure and mounting budget constraints. So that’s the backdrop for their announcement at VulnCon on March 28th and, a few days later, a post on their website.

I wish I could report that we now know exactly what went wrong and how it’s going to be fixed—but I can’t. NIST is still tight-lipped about the underlying problem, calling it a “silly governmental problem”, according to Tom Alrich, a consultant and leader of the OWASP SBOM forum who reported on the VulnCon announcement. Since the database is still lagging far behind where it should be, the “silly” problem is likely neither trivial nor fixed.

NIST says they’ve got some support from other agencies to help them work on the backlog, and they’ve reiterated that they plan to form a consortium of “industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.” So, in these last few weeks, we’ve learned more or less nothing new. 

Open letter to Congress 

NIST’s continued questionable PR and stubborn opacity has triggered mounting concern across the cybersecurity community. There is also concern that the “consortium” solution will lead to a volunteer-based NVD where the project could lose its neutrality or be abandoned altogether. By and large, the community wants to see the NVD survive and thrive under the U.S. government’s care. 

One ad-hoc group of cybersecurity pros is taking the problem up the chain to the United States Congress. Led by Chainguard CEO Dan Lorenc, a team of security researchers and practitioners, including myself, have authored an open letter to Congress expressing concern over NVD’s troubles. 

Published earlier today, the open letter urges Congress to do several things: 

  • Investigate the cause of these recent issues
  • Address the lack of transparency from NIST 
  • Ensure sufficient funding to both erase the backlog and make much-needed upgrades to processes and infrastructure
  • Elevate the status of the NVD to “critical infrastructure” that will be unimpeded by normal budgetary issues and government shutdowns

How can you help?

Time will tell what happens to the NVD and the backlog of CVEs waiting to be enriched. Government organizations tend to move slowly, and that’s especially true for older ones (NIST just celebrated its 123rd birthday in March).

In the meantime, concerned U.S. citizens can write to their Congressperson in support of the NVD, and all citizens of planet Earth should make sure their applications are covered by tools that source vulnerability data from more than just the NVD. Mend.io customers are covered on that front. Smaller organizations using only FOSS solutions will likely need to string together multiple resources to stay covered.

End-to-end open source risk management

Meet The Author

Subscribe to Our Blog