NIST’s NVD has encountered a problem

Whether the cause is insurmountable technical debt, lack of funds, a third reason or all of them, NIST’s National Vulnerability Database (NVD) is struggling, and it’s affecting vulnerability management efforts.

What happened?

Anyone who regularly uses the NVD as a source of information about CVE-numbered vulnerabilities could not have missed the notice featured at the top of its main page since February 15, 2024:

Since then, NIST has still been populating the database with entries for vulnerabilities that have been assigned CVE numbers and have been published on MITRE’s CVE List, but has failed to update many of the entires with information that NVD analysts usually add, such as:

• A description of the flaw
• A vulnerability severity score (CVSS)
• Links to advisories and other references
• CPE entries (metadata that says which solutions and versions are affected by the vulnerability).

NIST hasn’t further explained wherein the problem lies, nor did it say when the cybersecurity community might expect the problem to be solved.

According to Tom Alrich, leader of OWASP SBOM Forum project, Tanya Brewer, the head of the NVD, might offer more information and answer questions this week.

Vulnerability management solutions rely on NVD

In the meantime, enterprise defenders have effectively lost a critical resource, since many vulnerability scanners and other vulnerability managament tools rely on the CPE entires set by the NVD to pinpoint and address security vulnerabilities affecting an ogranization’s systems.

Fortunately, NVD is not the only (free) vulnerability database out there. “Many scanners have worked to integrate things like OSV or the GitHub Security Advisory DB as well recently,” Chainguard CTO Dan Lorenc noted in a topical discussion he started on LinkedIn.

The existence of these databases has made NVD’s stumble a “non-event” for his company, he added, “but not every scanners uses these and many folks still rely on the NVD every day.”

Companies such as Rapid7 and Qualys have had to reassure customers that its products don’t depend on NVD as the only source of vulnerability and risk information.

A problem that must be solved

Despite its faults, NVD is obviously still a crucial resource that currently has no suitable (freely available) replacement when it comes to delivering crucial metadata about vulnerabilities in proprietary software.

A positive thing about the current situation is that the many NVD drawbacks are now being outlined and discussed again, and that a workable solution MUST be found.

Whether that means the end of NVD or drastic changes for the project remains to be seen.

“The NVD needs to continue to operate at least in the near term, but it can no longer be accepted as the most important vulnerability database worldwide. There needs to be a short-term solution, a database in which new CVEs will include [package URL identifiers] for open source software, and other identifiers for proprietary (closed source) software, as well as intelligent devices,” Alrich opined.

“But there needs to be a long-term solution as well. It needs to be internationally supported, but it can’t depend on government funding (although governments are welcome to participate in funding it). I’ve already proposed one such solution, that might be up and running in less than a year. I’m not saying we must go with that alternative, but I am saying there’s no longer any reason why we need to put up with the NVD’s continual delays and creaky infrastructure.”