Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

NIST has stopped enriching its vulnerability list - and no one knows why

Padlock against circuit board/cybersecurity background.

The US National Institute of Standards and Technology (NIST) is working on improving how it adds vulnerabilities to its National Vulnerability Database (NVD), but the process has left many organizations tapping in the dark when it comes to securing their premises.

The process began in mid-February 2024, when researchers observed a severe drop in the number of software vulnerability enrichments in NVD, the most popular database for software vulnerabilities on the planet.

Enriching an NVD entry means adding crucial metadata to a disclosed vulnerability: what the flaw is, which software it affects, how severe it is, etc.

Replacing CPE

Without this information, IT teams everywhere will only know that a certain vulnerability exists - it’s up to them, and their peers, to establish where it exists, how dangerous it is, and how it can be addressed. Apparently, since the drop was first spotted, more than 2,500 vulnerabilities were added to the database, without crucial information.

As expected, the industry rallied, and NIST was forced to respond. A few days later, a NIST announcement said there could be “delays in analysis efforts” because NIST “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.”

This explanation seems to have only made things worse. Some users wanted to know more about the consortium, its members, its modus operandi, and other details. Others were questioning the necessity for such a major change, as the industry set up a “pretty efficient” system that’s been in use for years. NIST is yet to provide further details. 

In truth, nobody really knows what NIST is trying to achieve, or why. Some speculate that the organization is looking to replace Common Product Enumerators (CPE), possibly with Software Identification (SWID) tags. Whatever the case may be, NIST was heavily criticized for its lack of transparent communications.

Via Infosecurity Magazine

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.