Crisis at the NVD: Urgent Action Needed as Software Flaws Go Unreported

The world’s largest vulnerability database, NVD, managed by the U.S. National Institute of Standards and Technology (NIST), recently experienced a significant disruption that led to a substantial increase in the number of unpublished vulnerabilities.

Since mid-February 2024, the database began encountering issues with processing new data, and as of May 9, the service ceased displaying new vulnerabilities altogether, causing concern among cybersecurity researchers.

Specialists from both the public and private sectors are working diligently to incorporate the extensive backlog accumulated over the past three months and fill the gaps where possible.

malicious AI worm

From February 12 of this year, NIST managed to analyze and add only 4,524 out of 14,286 vulnerabilities to its database. This situation negatively impacts the awareness of security teams and creates new opportunities for malicious actors.

At the recent RSA conference, Emmanuel Chavoya, CEO of RiskHorizon.ai, stated that unprocessed vulnerabilities are already being actively exploited. Many companies rely on NVD for software updates and patches, making the halt in publications a serious issue.

Employees from various companies and government agencies confirmed that since May 9, new vulnerabilities have not been added to the database through the API. A NIST representative explained that the issues were caused by the transition to a new CVE data format—JSON. Vulnerability processing did not stop, but public publications were paused for system updates, which concluded on May 14.

In March, Tanya Brewer, NVD program manager, announced the formation of a consortium to address the issues, but specific details remain unknown. Meanwhile, private companies like RiskHorizon.ai launched their platform called “NVD Backlog Tracker” to monitor unprocessed vulnerabilities.

RiskHorizon.ai claimed to cover 85% of the unprocessed vulnerabilities, providing data on their criticality and exploitation activity; however, access to the platform is paid.

Other companies, such as Trend Micro and VulnCheck, are also actively publishing new vulnerabilities, offering an alternative to NVD.

On May 8, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the Vulnrichment program to add metadata to vulnerabilities. MITRE, which manages the CVE program, also approved new rules for organizations assigning CVEs.

Although current measures help reduce the backlog in vulnerability analysis, the CEO of RiskHorizon.ai believes that long-term solutions are necessary. He proposes automating the vulnerability disclosure process, which he believes would more effectively address the problem.