NVD Gives Up

Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time for Q&A despite there being a considerable amount. This is a disservice and middle finger to the industry,

In 2024, Tanya Brewer addressed the crowd and acknowledged that the backlog to analyze vulnerabilities was large and told us that they would have it resolved by September of that year, which did not happen despite a high-dollar outsourced contract. She talked about the development of an “Industry Consortium” with vague promises that might help, but it was a ways out. In 2025, NVD representatives told the audience that said consortium wasn’t going to happen. That year also announced the change to ‘Deferred’ status, meaning 20,000 vulnerabilities were not to be enriched at the time. Six days later that number stood at 40,000, two more days it jumped to 60,000, the following day 80,000, and just three weeks after their talk it reached 94,600.

Considering the 2025 talk which told attendees that NVD would focus more on known exploited vulnerabilities (KEV) and “critical software”. What does that entail? Consulting NVD’s page that is supposed to help us understand it, it links to a white paper that is no longer even there. We cannot even find it on the Internet Archive’s Wayback machine because NVD excludes them for some reason which itself is troubling. Searching anew we can see a page titled “Critical Software – Definition & Explanatory Material” which defines the criteria as:

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

• is designed to run with elevated privilege or manage privileges;
• has direct or privileged access to networking or computing resources;
• is designed to control access to data or operational technology;
• performs a function critical to trust; or,
• operates outside of normal trust boundaries with privileged access.

If you are wondering how they know what software meets any of that criteria and is run by any U.S. government (USG) agency or stakeholder, I asked CISA that very question at VulnCon 2024 and blogged in detail about how they operate. We can only hope that CISA has shared that list with NVD else, how would NVD know at all? Even then, when you consider the staggering size of the USG and myriad agencies, it’s still difficult to believe CISA truly knows all of the software being run. This is especially true because their definition is qualified with “or has direct software dependencies upon”. Ask anyone doing security in developer circles and many organizations are struggling to understand what a Software Bill of Materials (SBOM) is, and why that is important. In short, we cannot trust NVD to know the complete list, but they are apparently doing a best-faith effort to guess. Based on my experience with commercial vulnerability intelligence, they do not know a large portion of it.

This year offered even more dismal news, enough to warrant a lot of discussion in many circles and offer a lot of speculation. As always, I see some problems with NVD’s shift and their claims that seem to be flying under the radar. Likely because many in the industry I have talked to seem shocked. This year’s big change was telling the audience they would no longer enrich a majority of vulnerabilities. Wow.

What does that mean for the numbers? First, a big shift in how NVD presents them on its dashboard. Here are the relevant fields, to me:

Tuesday	Total	Wednesday	Total
NVD Total	344,325	NVD Total	344,738
Awaiting Analysis	32,495	Awaiting Enrichment	3,255
Undergoing Analysis	1,042	Undergoing Analysis	823
Deferred	94,546	Not Scheduled	123,755
Rejected	17,476	Rejected	17,476

That is a significant change, dropping “Awaiting Analysis” from over 32,000 to just over 3,000 under a slightly different name. The difference appears to have been moved to “Not Scheduled”, the new “Deferred”. That is over two years worth of vulnerability disclosures that are not planned to be made operational. NVD, which is basically a fragile line that makes CVE data usable for many organizations that was already largely absentee has now thrown in the towel. But it gets more problematic unfortunately.

Jumping back real quick, there were warning signs something was coming. After NVD’s failed promises the prior two years it was difficult to accept this would be a positive change. Eric Geller summarized the announcement in an article that month and quoted Jon Boyens, the acting chief of NIST’s Computer Security Division which manages NVD.

We’ve been kind of caught on our heels for the last year and a half

For years, Boyens said, vulnerabilities have been arriving in the database much more quickly than NIST can analyze them and provide detailed information about them, a process the agency calls “enrichment.” That work is “very labor-intensive” and “not scalable to the amount of CVEs that we’re getting in there,” Boyens explained. “We’re fighting a losing battle. We recognize that.”

I’ve mentioned it many times in my blogs and LinkedIn posts, that this is utterly ridiculous and unacceptable. Even before VulnCon 2024 and Brewer’s talk, I had submitted a Freedom of Information Act (FOIA) request for NVD’s budget for 2024 / 2025 which still has not been answered. I cited my 2019 FOIA request which found that they had a budget of $6,066,924.85 which is hard for me to understand as compared to the problems they have had keeping up. Without “AI” and with almost no automation, Flashpoint’s VulnDB was doing it for a fraction of that cost. So what were they doing with all that money? I would still like to know because that is our tax dollars not working for us and makes me beg the question if there is fraud or abuse at play, because there certainly is waste.

Boyens also made statements that make me question the expertise of his division as they do not seem to understand the real world of vulnerabilities and exploitation:

To solve this problem, NIST will begin prioritizing which vulnerabilities it enriches based on several factors, including whether a vulnerability appears in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, whether it exists in software that federal agencies use and whether it exists in software that NIST defines as critical.

The first problem here is that the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability catalog is tiny versus the actual number of vulnerabilities being exploited in the wild. Earlier this week their catalog came in at 1,559 vulnerabilities while Flashpoint has cataloged over 7,000. We know that number is still not the actual number of exploited vulnerabilities for many reasons that I have blogged about. If Boyens or NIST think that only 1,559 vulnerabilities impact the U.S. government and associated stakeholders, they are wrong. They are also not even aware of over 800 vulnerabilities that have been exploited yet do not even have a CVE ID.

Jump to today and NVD’s latest announcement summarizes what they shared with VulnCon in which they throw in the proverbial towel. At the same time, they actually expand the criteria for software they claim they will prioritize to include:

Starting on April 15, 2026, we will prioritize the following CVEs for enrichment:
CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
Our goal is to enrich these within one business day of receipt
CVEs for software used within the federal government
CVEs for critical software as defined by Executive Order 14028

The first and third bullet are covered under the prior definition, but the second bullet greatly expands that list and speaks to my point above. Do they really think they know what every USG agency is running? I certainly do not think they have the first idea at how long of a list that is, especially because many USG agencies, if pressed, could not provide an accurate list themselves. That’s life in IT and a problem shared by almost every commercial organization in the world. One thing I learned early on in commercial vulnerability intelligence is not to make assumptions about what customers are interested in. Secunia and SecurityFocus BID did that and it was a constant source of complaints from their customers; just not directly to them it seems, as I heard the complaints and neither changed their policies.

So, how do I know I am right? Remember that as of Wednesday NVD says that only 3,255 vulnerabilities are awaiting enrichment. Let’s pretend that number represents no instances where two CVE IDs cover the same software (which we also know not to be true since there were 47 Google Chrome CVEs this month). That means there are, according to NVD, 3,255 pieces of software with a CVE that need enrichment because the government uses them. Realistically, that might be the number of third-party libraries used across the entire USG if not more, which leaves out all of the commercial applications and cloud offerings, which are now receiving CVE IDs in some cases. 

When some large commercial companies have over 10 million endpoints I think it is safe to assume that represents more than 10,000 pieces of software be it commercial, open-source, or service-based. IBM alone has almost 700 products in their catalog. Now back to reality and we know that there are many, many CVE IDs for one product at one vendor so that 3,255 number becomes quite smaller. That’s how I know that NVD can’t and doesn’t know the actual list and is not going to enrich vulnerabilities that are critical to the USG.

Finally, when we saw the shift to ‘Deferred’ I mentioned how that number jumped considerably within three weeks. In a similar fashion, NVD’s ‘Not Scheduled’ that was 123,755 on the 15th dropped to 103,786 on the 16th. No corresponding bucket shifted to explain where those vulnerabilities went, so we’re left wondering if these numbers have any meaning whatsoever. If we’re to think that 19,969 were suddenly going to be enriched, then the ‘Awaiting Enrichment’ bucket should reflect that, yet doesn’t.

A year ago I blogged and gave CVE a ‘vote of no confidence‘. I would hazard a guess that a larger percentage of people would give the same vote to NVD after a third year of depressing news, inaction, and inability to use an exorbitant budget to do fairly easy enrichment. Afterall, NVD enriches a fraction of the information that commercial offerings do for a fraction of that price tag. With that, I strongly encourage everyone in the industry to contact your congressional representatives and ask for an investigation into NVD to be opened by the House Energy and Commerce Committee. Not that the USG is performing well and getting much done, but we deserve better.

So demand better.