Since 2005, the National vulnerability database (NVD) has published details on the hundreds of common everyday vulnerabilities and exposures (CVEs) discovered by security researchers around the world. But last month, the crucial government-sponsored database went from being an essential tool to an almost obscure destination.
That’s when NVD posted a very cryptic announcement on its website saying that users “will temporarily see delays [our] analysis efforts” as the National Institute of Standards and Technology (NIST) implements improved tools and methods. No further explanation was provided.
The freeze is not completely widespread: a small percentage of CVEs are documented by NIST, but not at the same rate seen in previous years. This leaves corporate security managers struggling to stay ahead of new threats.
The CVE model consists of 365 threat collection partners, about half of which are based in the United States, and cover a broad range of software vendors, bug bounty operators, and private research firms. Each participant posts new threats according to a careful pattern to ensure new items are unique. Since the beginning of the year, more than 6,000 new CVEs have been published.
But for some inexplicable reason, nearly half of them omitted any details in the NVD, details that make vulnerability data useful to corporate security managers and the many vulnerability management tools that can help prevent potential damage from attackers. .
One such tool is Tenable’s Nessus vulnerability scanner. Its researchers point out that NIST’s NVD provides additional context for any particular vulnerability, context that can determine whether the threat is critical and requires immediate patching or can affect a broad population of applications and operating systems.
Dan Lorenc, CEO of Chainguard, wrote a post on LinkedIn last month documenting the situation. “THE [latest] CVE entries contain no metadata about what software is actually affected,” he wrote. “This is a huge problem and a lack of any real statement about the problem [by NIST] It’s worrying.”
Lorenc isn’t the only one to believe this. “This is a data set of national importance,” says Josh Bressers of Anchore, also posted comments on the situation earlier this month. “I would have expected clearer communications because no one knows anything. It’s all a mystery.”
NIST representatives did not respond to Dark Reading’s requests for comment.
Before the February freeze, NIST regularly updated each CVE with this useful metadata; sometimes these updates took weeks or months from the date of their discovery to disclosure in NVD entries. “However, as the industry has seen, waiting for NIST to integrate CVE records comes at a cost. With more CVEs issued each year, we now have more opportunities for software vendors to provide more complete CVE records,” Sustainable researchers said. Translated, that means someone else has to pick up the slack.
Morphisec, a security tools provider, published a blog post describing the NVD situation earlier this month. “Smaller organizations are constantly looking for patches. The lack of metadata with NVD means they are missing out on immediate benefits and will reduce their overall security,” says Michael Gorelik, CTO at Morphisec. “This means that potential business disruption is inevitable, especially in the ransomware-rich landscape we have today. This is a bigger immediate problem than the threats posed by GenAI.”
Tom Pace, CEO of Netrise, says freezing is a problem. “We no longer know the impact of particular vulnerabilities,” he says. “This is not a good situation. Many people around the world rely on this data set. This will make patching more difficult and slower.” This means bad actors have more time to make their way into corporate networks.
An alternative: MITER steps forward to fill the gap
NIST may be the agency responsible for the NVD, but the lion’s share of the actual work behind it comes from well-known defense contractor MITER, as it handles CVE collection. Pace says, “It’s not a technical question: Why can’t MITER fill the gap? NIST has a smaller crew anyway.” He calls out MITER for failing in its mission and leaving the security teams in the dark.
Dark Reading’s requests for additional information from MITER were denied: “MITRE is currently unable to speak on this matter,” a company representative said. Pace asks, “How can private industry figure this out on its own?”
Private industry has certainly been working on alternatives to NVD. To this end, one security consultant commented on LinkedIn that “NVD cannot be fixed and we must give it up and fix both the problem and CVE together. The US government will not solve this problem and solutions must be industry-led private.”
There are numerous other data collections that have been created over the decades. Several security vendors, such as Tenable, Qualys, and Ivanti, have created their own vulnerability collections that contain more details about metadata and other elements to help prevent attacks. And there are several open source efforts that have been underway for years but have received more attention lately, thanks to the NVD freeze.
An open source effort comes from VulnCheck, which has its own NVD++ collection. Another is the Open the vulnerability database (OVD) from to variety of vendors, including Google, SonarSource, GitHub, Snyk and others. Both were born out of the frustration of NVD users who wanted to have more automated queries of vulnerability data. NIST NVD had imposed rate limits on these queries, which both NVD++ and OVD eliminated. Switching to one of the collections from NIST’s NVD is not easy and will require some programming effort and testing time.
Another effort comes from China, where several government agencies have joined together to achieve this your own vulnerability database. This could be bad news for the rest of the world because it will have restrictions on what gets published, such as the lack of proof of concept typical of NVD and open systems efforts. The researchers speculate that this could also lead to more Chinese zero-day attacks, effectively weaponizing these vulnerabilities.
Another solution: a new industrial consortium
Information on NVD’s website cites a consortium that may operate the database, although security researchers are skeptical. The statement was sparse on details, such as who will be part of the effort. Pace says: “We have been disclosing and fleshing out vulnerabilities following the same process for years and quite efficiently. Why would we need a consortium now?” Bressers says a consortium is possible, but the devil will be in the details when crafting a more useful successor to NVD. He says vulnerabilities continue to see exponential growth and that any solution must adapt accordingly.
Finally, another complexity of the NVD freeze is that it goes against reporting requirements elsewhere in the federal government. The latest version, Rev. 5, of the Federal Risk and Authorization Management program requires federal contractors to use NVD as an authoritative threat source. “It appears that NIST is somehow trying to weaken this program or divest it while other areas of government are forcing its adoption,” Lorenc noted in his blog post. “What is happening here?”
Next week, vulnerability researchers will gather for the VulnCon conference in Raleigh, North Carolina, where an “NVD symposium” is on the agenda. Perhaps more details will emerge then.