NIST Changes CVE Enrichment Policy Amid 263% Surge in Vulnerability Submissions

Bychirag

The National Institute of Standards and Technology (NIST) has announced a significant policy change for its National Vulnerability Database (NVD), reducing the enrichment metadata it adds to CVE entries amid a 263% surge in new vulnerability submissions and a persistent backlog of unprocessed entries.

What Is Changing

NIST will no longer guarantee adding CVSS scores, CWE classifications, and CPE affected product data to all CVE entries. Previously, NIST enriched nearly every CVE. Now, only “high-priority” vulnerabilities will receive full enrichment.

What NIST Will Still Provide

  • CVE ID and basic description (from MITRE)
  • References and links to vendor advisories
  • CVSS scores for critical and high-severity vulnerabilities

What May Now Be Missing

  • CVSS scores for medium and low severity CVEs
  • CWE (Common Weakness Enumeration) classifications
  • CPE (Common Platform Enumeration) data for automated patch matching
  • CVSS Environmental and Temporal scores

The Scale Problem

CVE submissions have exploded:

  • 2023: ~28,000 CVEs published
  • 2024: ~40,000 CVEs published
  • 2025: ~55,000 CVEs published
  • 2026 (projected): ~74,000+ CVEs

NVD’s enrichment team of ~24 analysts simply cannot keep pace. By early 2026, over 19,000 CVEs had no CVSS score in the NVD.

Impact on Security Tools

Many vulnerability scanners and SCA tools depend on NVD metadata:

  • Dependabot, Snyk, and Trivy use NVD CVSS scores for severity prioritization
  • SIEM systems use CPE data to match vulnerabilities to inventory
  • Compliance frameworks (PCI-DSS, FedRAMP) reference NVD severity levels

Alternative Vulnerability Data Sources

# Use OSV (Open Source Vulnerabilities) — Google-maintained
pip install osv
osv-scanner scan --source /path/to/your/project

# EPSS (Exploit Prediction Scoring System) — prioritize by exploitation likelihood
curl https://api.first.org/data/v1/epss?cve=CVE-2026-34197

# VulnCheck — commercial enrichment filling NVD gaps
# Anchore's Grype uses multiple sources
grype dir:.  # Scan current directory

# GitHub Advisory Database (GHSA) — often faster than NVD
# Integrated in Dependabot and GitHub Security tab

The SudoFlare Takeaway

The NVD’s struggles reveal a systemic problem: the vulnerability disclosure ecosystem has scaled far beyond what a single government agency can manage. Security teams should diversify their vulnerability intelligence sources beyond NVD. EPSS scores (which predict exploitation likelihood) are often more actionable than CVSS severity scores — a CVE with EPSS of 0.85 matters more than one with CVSS 9.0 and EPSS of 0.01.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *