CVEs awaiting processing at NVD HQ.

Turf wars? NIST to fix NVD backlog by September – insists it’s right agency to run vulnerability database

Update comes after CISA started enriching CVEs itself…

NIST has insisted that it is “uniquely suited” to manage the National Vulnerability Database (NVD) and should be able to clear a massive backlog of unprocessed software security vulnerabilities by September.

NIST has contracted “additional processing support for incoming Common Vulnerabilities and Exposures (CVEs)” it said in a short update on May 29. (NIST pulls them in from the CVE.org database before enriching them.)

Updated, 18:00 BST. NIST confirmed to The Stack after being aked the question that it has contracted Analygence for CVE update support

The agency, which sits under the Department of Commerce, added “this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.”

See also: IRS faces mountain of legacy IT systems issues, risking "disruption of critical operations"

It should clear this backlog by the end of its fiscal year (September) it said.

NIST has fallen hugely behind on processing CVEs, as covered in-depth by The Stack in April. More than 90% of submissions have not been “enriched” since it started falling behind in February for contested reasons* and the issue is coming to increasingly influential attention. 

Former National Security Agency (NSA) Cybersecurity Director Rob Joyce, commenting on these latest figures, said on X this week: “Wow. This is a significant risk. We now lack understanding of ongoing attack surface. 

“We need NVD functionality restored ASAP.”

See also: “Bring memes”: Dave Luber takes over as NSA Director of Cybersecurity from Rob Joyce

In April 50 cybersecurity professionals had called for Congress to urgently “establish a plan, with clear timelines and accountability, to improve NVD processes and operations” describing the NVD in an open letter to Congressional leaders as “the backbone of vulnerability management across the globe” and calling for it to be treated as critical infrastructure.

The NVD analyses CVEs, or codes allocated to software vulnerabilities, and augments them with additional information like CVSS (severity) scores and CWE (details on the specific type of weakness) to inform defenders.

Its failure in recent months has seen calls in some quarters for another agency to take over the database. Earlier this month the Cybersecurity and Infrastructure Security Agency (CISA), which sits under the Department of Homeland Security, said it is starting an independent “Vulnrichment” programme to add detail to incoming CVEs. 

Speaking to The Stack last month about the ongoing NVD processing issue, Tom Alrich, a cybersecurity specialist and co-leader of the Open Source Foundation for Application Security (OWASP)’s SBOM Forum, said: “The NVD has a number of single points of failure. And presumably one of them failed! The amazing thing is that it seems they're having trouble even finding out what it is, that's the problem. It's so ancient…” 

Read this: Root, but no response: 6 pre-auth RCEs in VMware ignored

Alrich suggested that the CVE.org database has a much more modern infrastructure and “already has all the data that the NVD does. This is because the CVE reports come to CVE.org first, before they get passed on to the NVD”, suggesting that one fix might be to make CVE.org the nation’s (and the world’s) premier vulnerability database instead. 

He suggested that a failure to take this route or resolve the issue more swiftly may have political roots: “CVE.org is [part of the] Department of Homeland Security. NVD is part of the Department of Commerce. Whenever in government you have a problem that needs to be resolved between two departments, you have to go to their common boss…”

NIST said in that it is “also working on ways to address the increasing volume of vulnerabilities through technology and process updates…

“With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. 

“NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans,” the agency added. 

Brian Fox, Co-founder & CTO, Sonatype said: "While the NVD's restoration is a welcome development for the cybersecurity community, we’ve seen what happens when businesses become too reliant on it. Too many commercially available tools depend solely upon the NVD feed for vulnerability-enriched data. Once the NVD slowed down, all those tools effectively became blind to new vulnerabilities.

“One of my chief concerns is that until we get a transparent explanation of what transpired, we won’t know if it will happen again. These concerns exist notwithstanding the fact that the CPE system is also not optimized for open source projects. Assigning a CPE number to a vulnerability in a component like Apache Struts or Spring, where there are 80 to 100 individual components is just not feasible. It’s too imprecise and can lead to false positives.

“A federated model, ala the CNA approach, is needed to restore trust and mitigate some of these more fundamental issues with the NVD and we need more adoption of pURL coordinates to supercede the CPE."

*NIST saw its budget slashed under a March 3 congressional funding Act; receiving $1.46 billion, nearly 12% less than in 2023. That alone does not appear to have been the cause of the issues. Industry rumours passed on to The Stack also suggest that one CNA, or entity authorised by the CVE Program to assign CVE IDs to vulnerabilities, had erroneously uploaded a large tranche of data to the NVD that was not, in fact, CVE records – causing breakage/pollution of its ageing systems that it is still trying to manually clean up. We could not independently verify this claim.)