I know, yet another blog about the National Vulnerability Database’s (NVD) ever-changing numbers?! That’s right, and I am not talking about the changes between April 14 and 15th. The numbers changed significantly because of the way NVD displayed statistics on their dashboard before a dramatic change in their enrichment policy. At VulnCon 2026, Harold Booth updated attendees about NVD’s enrichment efforts after two years of a steadily growing backlog of vulnerabilities that had not received any enrichment.
I had commented on that growth several times on LinkedIn since February 2024 when the number passed initially 1,000 as well as in 2024 after VulnCon and Tanya Brewer assured attendees they would catch up by September that year. In response to NVD’s recent announcement I blogged again about them “giving up” on enrichment which is a fair assessment. NVD’s statistics changed not just in numbers but more importantly in categories that reflected their new “priority” in enrichment efforts. Here is what it looked like captured on the 14th and the 17th for comparison, the before and after:
Right off the bat you can see that the huge backlog reflected under the “Awaiting Analysis” category vanished overnight, to be replaced with “Awaiting Enrichment”. Further, the “Deferred” category got replaced with “Not Scheduled” as NVD stated indicating they were no longer “postponed or delayed” and instead not planned on being enriched at all. Booth’s talk made it clear that if requested with specific conditions that NVD would analyze vulnerabilities in that category but it was equally clear that a majority would not be enriched under the new plan.
Trying to do the math to figure out what went there isn’t worth it since there were category changes, multiple days with no updates to the dashboard on the 15th /16th, and other potential unknown factors. For the purpose of this blog we’ll consider that a wash and let those numbers stand. I am more interested in what has happened since then, just three weeks later.
The Numbers Shell Game
I’ll start by including a table of the NVD dashboard statistics around their ‘CVE Status Count’ numbers. Several of the numbers are irrelevant including the ‘Total’ as it is just a total of CVE records, ‘Received’ as it is reflects the number of CVEs received by NVD in an unspecified recent timeframe, ‘Modified After Enrichment’ since that number encompasses changes after the initial enrichment, and ‘Rejected’ as those do not require any form of enrichment or analysis. Further, note that on April 25 I was traveling all day and did not have a chance to note the numbers but the differences in that time period are negligible here. We’ll further ignore ‘Awaiting Enrichment’ due to it being a trivial number of vulnerabilities as well as ‘Undergoing Enrichment’ for the same reason, and focus exclusively on ‘Not Scheduled’.
What NVD’s analysts do, outsourced or internal, is basically the same as the VulnDB team. Newly disclosed vulnerabilities go into a queue where humans, automation, so-called AI, or some combination thereof does analysis. That effort is done for a variety of reasons typically around normalization of the data as well as generating metadata. Depending on who is using the data and for what purposes those efforts will vary but the general idea is the same. I mention it because I am extremely familiar with how vulnerability databases work and working in a queue like this.
As we get down to the point at hand with all the disclaimers out of the way, faithful readers may be thinking “now the dirt really starts!” Unfortunately this is so simplistic as to be laughable and there just isn’t a lot that needs to be said to expose how silly this shell game is. That is essentially the marker used in the classic Three Shell Game, a form of short confidence game used to swindle people. Let’s start with April 15 and we see 123,755 vulnerabilities are not scheduled for enrichment. That’s a lot, over one third of all vulnerabilities cataloged by CVE since 1999. That alone should be enraging given how much taxpayer money NVD has wasted over the years ($6,066,924.85 in 2019 alone). That’s enough to fund the entire VulnDB team for over a decade.
With the new “plan” for enriching minimal vulnerabilities, the ‘Awaiting Enrichment’ numbers are about as expected. Without NVD releasing an exact list of products they will enrich it is hard to understand if the numbers are truly accurate. The ‘Undergoing Enrichment’ number begs the question of what NVD is using all that money for now, if not for enriching vulnerabilities. The ‘Rejected’ bucket is completely out of their control and at the mercy of MITRE and the CVE Numbering Authorities (CNA). Finally, that leaves us ‘Not Scheduled’ which is the real curiosity.
A day after the 15th, that number drops to 103,786, a difference of 19,969. So if those almost 20,000 vulnerabilities are no longer awaiting, undergoing, or scheduled for enrichment… what status are they? Between April 22nd and 23rd we see a drop of 18,835, and then again between April 28th and 29th a drop of 19,906. The day before I planned to publish this it dropped again on the morning of May 7, landing at 46788. From April 15th to May 5th that is a total of 76,967 vulnerabilities that are no longer represented in a category that can explain the change. Where did they go? Are they being enriched or not?
Everyone, I bring you Schrödinger’s enriched vulnerability. Meow.
Leave a Reply