The US National Institute of Standards and Technology (NIST) is working on improving how it adds vulnerabilities to its National Vulnerability Database (NVD), but the process has left many organizations tapping in the dark when it comes to securing their premises.
The process began in mid-February 2024, when researchers observed a severe drop in the number of software vulnerability enrichments in NVD, the most popular database for software vulnerabilities on the planet.
Enriching an NVD entry means adding crucial metadata to a disclosed vulnerability: what the flaw is, which software it affects, how severe it is, etc.
Replacing CPE
Without this information, IT teams everywhere will only know that a certain vulnerability exists - it’s up to them, and their peers, to establish where it exists, how dangerous it is, and how it can be addressed. Apparently, since the drop was first spotted, more than 2,500 vulnerabilities were added to the database, without crucial information.
As expected, the industry rallied, and NIST was forced to respond. A few days later, a NIST announcement said there could be “delays in analysis efforts” because NIST “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.”
This explanation seems to have only made things worse. Some users wanted to know more about the consortium, its members, its modus operandi, and other details. Others were questioning the necessity for such a major change, as the industry set up a “pretty efficient” system that’s been in use for years. NIST is yet to provide further details.
In truth, nobody really knows what NIST is trying to achieve, or why. Some speculate that the organization is looking to replace Common Product Enumerators (CPE), possibly with Software Identification (SWID) tags. Whatever the case may be, NIST was heavily criticized for its lack of transparent communications.
More from TechRadar Pro
- Rapid AI development is putting security and privacy at risk
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now