NVD Update: More Problems, More Letters, Some Questions Answered
Table of Contents
The past week has been a wild ride for those following all the hot goss’ on the National Vulnerability Database.
Previously on The Code and the Vulnerable, we reported on the NVD slowdown that began in mid February. Since then, the NVD has been adding new CVEs, but has only enriched (with important information like CVSS and CPE) a very small fraction of them. If you need a breakdown of all these acronyms, definitely check out that first blog on this topic.
No one knew why the NVD was suddenly struggling, but it became clear that things were not improving and NVD watchers began pointing out that the backlog was growing too large to handle. Some NVD fans, like our own Jeff Martin, worked on a letter to Congress, pleading for more support for the NVD.
On May 9, the NVD went a further step backwards and ground to a complete halt, failing to enter a single CVE, let alone the enrichment data. Never one to proactively make an official statement to head off rumors, NIST at least shared via email that the problem was temporary while they were updating to a new CVE format. Skepticism remained; however, on May 14 they rallied and entered just under 800 CVEs into the database. Enrichment of CVEs remains stalled.
May 14 was also the day that the Hacking Policy Council posted their own letter to Congress. This five-page letter makes similar but more detailed points to the first letter we mentioned, and you can read it here.
The most surprising bit of information about the NVD came quietly on May 13. Tom Alrich, head of the OWASP SBOM forum, posted on his blog the answer to some of the questions that have been on everyone’s minds since the very beginning: Why did the NVD begin to stumble so suddenly in mid February? We knew NIST had some budget cuts, but did they really slash the NVD’s take by that much?
Shockingly, Alrich learned during his weekly SBOM forum meeting that NIST is not the largest funder of the NVD, as we’d all previously assumed. It was this other source of funding, not NIST, that pulled the rug out from under the NVD. That source isn’t named and it took us a second to read between the lines. Can’t be named, very interested in cybersecurity and American critical infrastructure… that should narrow it down to a few possibilities for you.
The good news is that CVE.org, which is under the purview of CISA rather than NIST, might just be picking up what NVD has set down. CVE.org has always been redundant with the NVD in many ways, and they have already begun asking CNAs to include enrichment data when reporting CVEs. If CVE.org can make their vulnerability database as robust and accessible as the NVD is (or was, anyway), it might be best to rescind those letters to Congress and just let the NVD die.