The vulnerability management community has expressed concerns about the US National Vulnerability Database (NVD) potentially causing a supply chain security crisis [2].

Description

A group of cybersecurity professionals has sent an open letter to the US Secretary of Commerce and Congress [2], urging them to investigate and support the National Institute of Standards and Technology (NIST) in restoring and modernizing the NVD program. NIST has encountered challenges with a decrease in vulnerability enrichment data uploads [2], resulting in a backlog of unanalyzed Common Vulnerabilities and Exposures (CVEs). The NVD has processed only a fraction of the CVEs received this year [1], with a backlog of over 10,000 submissions [1]. This backlog poses a significant risk to global security [1], as essential metadata for assessing threats has been missing since mid-February [1]. The delays in vulnerability management have hindered organizations’ ability to prioritize and address vulnerabilities effectively [1]. In response to the lack of resources, NIST has initiated an industry consortium for future support in operating and funding the NVD program [2].

Conclusion

The backlog of unanalyzed CVEs in the NVD program presents a serious risk to global security. It is crucial for NIST to address this issue promptly to ensure effective vulnerability management. The industry consortium established by NIST may provide a solution for sustaining and improving the NVD program in the future.

References

[1] https://blog.projectdiscovery.io/urgent-call-to-action-restoring-the-national-vulnerability-database/
[2] https://www.infosecurity-magazine.com/news/open-letter-nist-restore-nvd/