NIST explained the reason for the lack of vulnerability analysis in NVD.
The National Institute of Standards and Technology (NIST) attributed delays in vulnerability analysis to an increase in the volume of software and changes in support for interagency programs.
The National Vulnerability Database (NVD) is an important tool for cybersecurity professionals, but since mid-February, the organization has faced problems handling new vulnerabilities and removing important metadata from the database. NIST announced plans to create a consortium to solve the problems of the NVD program and develop improved tools and methods.
In 2024, only half of the 8,785 vulnerabilities reported were analyzed, and in December, only 199 of the 3,370 vulnerabilities reported were analyzed. A representative of NIST confirmed the growing queue for analysis, explaining this by an increase in the number of software and vulnerabilities, as well as changes in interagency support.
There is a proposal to create an external consortium to improve the database, as reported by NVD program manager Tanya Brewer at the VulnCon conference. She mentioned dozens of potential improvements and pointed out that the NVD staff remains unchanged — 21 people, while the number of vulnerabilities presented continues to grow.
Dozens of cybersecurity experts signed a letter to Congress and U.S. Commerce Secretary Gina Raimondo urging them to fund and protect NVD, calling it "a critical infrastructure for a multitude of cybersecurity products." The signatories expressed deep concern about the loss of NVD functionality and the lack of transparent communication from NIST with the cybersecurity community. Experts also noted that NVD funding has recently been cut by 20%.
The letter to Congress highlights that the failure to restore NVD functionality threatens the safety of everyone, pointing to recent incidents such as the cyberattack on Change Healthcare that paralyzed the healthcare industry for several weeks. Experts are calling for urgent action to address NVD issues to ensure that the state of cybersecurity around the world improves.
The National Institute of Standards and Technology (NIST) attributed delays in vulnerability analysis to an increase in the volume of software and changes in support for interagency programs.
The National Vulnerability Database (NVD) is an important tool for cybersecurity professionals, but since mid-February, the organization has faced problems handling new vulnerabilities and removing important metadata from the database. NIST announced plans to create a consortium to solve the problems of the NVD program and develop improved tools and methods.
In 2024, only half of the 8,785 vulnerabilities reported were analyzed, and in December, only 199 of the 3,370 vulnerabilities reported were analyzed. A representative of NIST confirmed the growing queue for analysis, explaining this by an increase in the number of software and vulnerabilities, as well as changes in interagency support.
There is a proposal to create an external consortium to improve the database, as reported by NVD program manager Tanya Brewer at the VulnCon conference. She mentioned dozens of potential improvements and pointed out that the NVD staff remains unchanged — 21 people, while the number of vulnerabilities presented continues to grow.
Dozens of cybersecurity experts signed a letter to Congress and U.S. Commerce Secretary Gina Raimondo urging them to fund and protect NVD, calling it "a critical infrastructure for a multitude of cybersecurity products." The signatories expressed deep concern about the loss of NVD functionality and the lack of transparent communication from NIST with the cybersecurity community. Experts also noted that NVD funding has recently been cut by 20%.
The letter to Congress highlights that the failure to restore NVD functionality threatens the safety of everyone, pointing to recent incidents such as the cyberattack on Change Healthcare that paralyzed the healthcare industry for several weeks. Experts are calling for urgent action to address NVD issues to ensure that the state of cybersecurity around the world improves.
