NIST gives up enriching most CVEs

What changed

The National Institute of Standards and Technology announced it will stop enriching most Common Vulnerabilities and Exposures (CVE) entries in the National Vulnerability Database (NVD). Going forward, NIST says its staff will add metadata only for a narrow set of bugs: those listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities in software used by U.S. federal agencies, and flaws in what NIST calls “critical software” — think operating systems, web browsers, security tools, firewalls, backup systems and VPNs. It’s a clear narrowing of focus; important bugs will get attention, the rest will largely be left as raw CVE records.

Why now

It has been reported that NIST’s decision follows more than two years of falling behind as the flow of new vulnerabilities exploded. A handful of 2,100+ un-enriched CVEs snowballed into almost 30,000 by the end of 2024, and the agency is still tens of thousands of entries short. It has been reported that budgetary constraints — which some sources tie to recent cuts affecting DHS and CISA — have made catching up unrealistic, and that NIST has effectively acknowledged it won’t be able to enrich the backlog under current funding.

What this means for the industry

The move removes one of the few centralized enrichment services many vulnerability management vendors relied on. It has been reported that Aikido Security’s Sooraj Shah warned the change signals the end of a single source of truth, and that teams and tools will need to diversify where they get metadata. NIST also says it will stop publishing its own CVSS severity scores and will show the score assigned by the CVE-issuing organization — a change that almost guarantees more debates, disputes, and messy comparisons. So who picks up the slack? No single winner is obvious. The result: more DIY enrichment, more fragmentation, and, yes, more drama.

Sources: risky.biz, Hacker News