The NVD confusion is a big deal. Here’s why.

The National Vulnerability Database (NVD) is a crucial component of the cyber security ecosystem.  

Organizations worldwide rely on the NVD to identify, assess, and mitigate vulnerabilities in their software and systems. Managed by the National Institute of Standards and Technology (NIST), it serves as the world’s most comprehensive repository of publicly known cyber security vulnerabilities.  

Or, at least, it did.  

Recent events have shaken confidence in the NVD’s reliability, leading to widespread concern and confusion within the cyber security community. This blog post aims to unpack the current turmoil surrounding the NVD and its implications for global cyber security. 

How the NVD is supposed to work

The NVD operates by aggregating and cataloging data on known vulnerabilities from various sources, including the Common Vulnerabilities and Exposures (CVE) database. Each CVE entry includes a unique identifier for a specific vulnerability. Once a CVE is added to the NVD, it undergoes a process of enrichment, where additional details are provided, such as: 

• Common Weakness Enumerations (CWEs): Descriptions of the types of programming errors that can lead to the vulnerability. 
• Common Platform Enumerations (CPEs): Information about the specific software and hardware platforms affected by the vulnerability. 
• Common Vulnerability Scoring System (CVSS): A standardized scoring system that assesses the severity of vulnerabilities, helping organizations prioritize their responses. 

This enriched information is critical for cyber security professionals to understand the potential impact of vulnerabilities and to implement appropriate mitigations. When kept up to date, the NVD’s comprehensive and detailed entries enable organizations to stay ahead of potential threats by ensuring timely updates and patches. 

What happened?

Since February 12, 2024, the NVD has experienced significant disruptions in its operations. NIST halted the enrichment of Common Vulnerabilities and Exposures (CVEs) in the database. While new CVEs continued to be added, they lacked crucial metadata, such as CWE, CPE and CVSS scores.  

The situation was further complicated in May 2024 when NIST attempted to upgrade the NVD to a new CVE JSON format. This transition encountered numerous issues, exacerbating the already strained system. The upgrade was intended to modernize the database and improve its functionality, but the implementation challenges only added to the confusion and frustration. 

In response to these challenges, NIST announced on March 28, 2024, the formation of a new industry consortium to support and potentially take over the operation of the NVD. This consortium aims to bring together industry experts and resources to stabilize and enhance the database. Despite this announcement, the cyber security community remains concerned about the prolonged disruption and the uncertainty surrounding the NVD’s future. 

Timeline of events

1. February 12, 2024: NIST stops enriching CVE entries in the NVD, leaving many vulnerabilities without detailed analysis. 
2. March 15, 2024: Initial reports emerge about the disruption in NVD services, raising concerns among cyber security professionals. 
3. March 28, 2024: NIST announces the establishment of a new consortium to support and operate the NVD, aiming to address the ongoing issues. 
4. April 16, 2024: A group of cyber security professionals sends an open letter to the US Congress, urging intervention to restore NVD operations. 
5. May 8, 2024: The Cybersecurity and Infrastructure Security Agency (CISA) launches the Vulnrichment Program to address the challenges faced by the NVD. 
6. May 14, 2024: Continued reports of confusion and dissatisfaction as cyber security professionals complain about stalled CVE uploads. 

Why it matters

The disruptions within the NVD have far-reaching implications for the cyber security community and beyond. Here are the key reasons why this crisis matters: 

Increased vulnerability to attacks 

• Delay in mitigation: Without timely enrichment of CVE entries, organizations lack the necessary details to assess the severity of vulnerabilities. This delay can result in slower responses to emerging threats, increasing the window of opportunity for attackers. 
• Exploitation risk: Cyber criminals thrive on unpatched vulnerabilities. The current gaps in the NVD’s data enrichment mean that many organizations might not fully understand the risks they face, leading to a higher chance of successful exploits. 

Operational and financial impact 

• Resource allocation: Without clear vulnerability details, organizations may misallocate resources, either by overestimating or underestimating the severity of threats. This inefficiency can lead to unnecessary expenditures or, worse, unaddressed critical vulnerabilities. 
• Economic costs: Cyber attacks resulting from unpatched vulnerabilities can lead to significant financial losses. The lack of detailed CVE information from the NVD exacerbates this risk, potentially costing companies millions in damages and recovery efforts. 

Impact on cyber security research and development

• Research delays: Accurate and comprehensive vulnerability data is crucial for cyber security research and development. The current issues with the NVD hinder the ability of researchers to study trends, develop new defenses, and advance the field. 
• Innovation stagnation: The uncertainty and lack of reliable data can stifle innovation in cyber security technologies and solutions, potentially slowing down progress in an industry that needs to constantly evolve to keep up with emerging threats. 

Erosion of trust

• Reliability concerns: The prolonged disruption and lack of communication from NIST have eroded trust in the NVD. Organizations and cyber security professionals rely on this database for critical information, and the current situation has left many questioning its reliability. 
• Global impact: The NVD is used by organizations worldwide. The uncertainty and gaps in the database’s information affect not just US-based entities but also international companies, potentially leading to a global cyber security crisis. 

The current crisis within the NVD highlights the interconnectedness of the cyber security ecosystem. The database’s role as a central repository of vulnerability information means that any disruption has a ripple effect, impacting a wide range of stakeholders and increasing the overall risk landscape. 

What they said

With the NVD being a cornerstone of cyber security research, it’s no surprise to see that this story has been making waves: 

The Vulcan Cyber view

The recent issues at NVD are a reminder that security teams must think more broadly about vulnerability prioritization; the straight reality is that those IT security teams with a more mature vulnerability management program likely have the processes in place to better mitigate the fallout from NVD’s current challenges.  

The Vulcan Cyber mission is to help organizations bridge this gap and take ownership of their exposure risk. Contextual prioritization provides an accurate reflection of the threats that matter most. Here are some the of factors that the Vulcan Cyber ExposureOS(TM) risk prioritization engine is built upon: 

Business context and asset posture

Prioritize risk based on customizable logical groups like business unit, network segment, application and/or asset type, compliance requirements, CMDB context or any other grouping relevant to your environment. The ‘Security Posture Rating’ (SPR) capability enables companies to contextualize and give priority to risks according to their specific business requirements. SPR is calculated by intelligent asset groupings and demonstrates overtime the impact of incremental vulnerability response activities. 

Threat intelligence

Vulcan Cyber enriches vulnerability data with 20+ threat intelligence feeds and threat temporal factors (e.g. exploitability, usage in the wild). 

CVE enrichment

Vulcan Cyber provides unique and comprehensive threat insights beyond generic and technical vulnerability criticality scores such as CVSS. For example, the platform automatically adds the EPSS score of every vulnerability. 

Attacker perspective

Gain comprehensive visibility across all of your cyber attack surfaces and see vulnerability risk through the eyes of an attacker using Attack Path Graph. 

To learn more about how Vulcan Cyber can enrich prioritization efforts, get a demo today.