Network Security, Vulnerability Management, Threat Intelligence

NVD cutbacks hamper NIST’s vulnerability analysis

A sign for the National Institute of Standards and Technology is seen in the sunlight at an intersection.

Over 90% of new security flaws submitted to the National Institute of Standards and Technology's National Vulnerability Database since funding was reduced in early February continued to lack analysis or enrichment that would enable discovery of impacted software, reports The Record, a news site by cybersecurity firm Recorded Future.

Funding cuts have also hampered analysis for 82% of vulnerabilities that already have public proof-of-concept exploits, according to a VulnCheck report.

"With the recent slowdown of the NIST National Vulnerability Database (NVD), it's crucial to understand the gravity of the situation. Nation-state threat actors and ransomware gangs continue to target organizations with devastating consequences, while our own house is in disarray," said VulnCheck researcher Patrick Garrity.

Such a development should prompt increased CVE record enrichment efforts from cybersecurity firms and CVE Numbering Authorities, as well as a prioritization toward automated CVE enrichment, Garrity added. Meanwhile, the Cybersecurity and Infrastructure Security Agency has already moved to bolster vulnerability analysis through the "Vulnrcihment" initiative, with other efforts to follow.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.