The US National Vulnerability Database (NVD) is currently facing a significant crisis due to a backlog of over 9,762 unanalyzed vulnerabilities, raising concerns about potential security risks.

Description

Since May 9 [2], the NVD has not been updating new vulnerabilities, as a result of a format migration to the new CVE JSON format. This migration has halted the processing of vulnerabilities, leading to the backlog. Private firms like RiskHorizon.ai have launched the NVD Backlog Tracker to monitor unprocessed vulnerabilities [2]. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has initiated the Vulnrichment program to add metadata to CVEs and address the challenges faced by the NVD. There is ongoing debate about whether the responsibility for managing the database should shift to the private sector or remain with federal agencies like NIST. Efforts are being made to automate parts of the analysis process to improve the quality and timeliness of data in the NVD.

Conclusion

Failure to address the backlog and improve NVD operations could have significant implications for supply chain risks and national security [1]. It is crucial to restore and enhance NVD operations, urging Congress to allocate additional funding and resources to treat the database as critical infrastructure. Collaborative efforts between the private sector and federal agencies are essential to ensure effective vulnerability management and maintain consistent standards.

References

[1] https://www.databreachtoday.com/experts-warn-nvd-backlog-reaching-breaking-point-a-25191
[2] https://www.infosecurity-magazine.com/news/nist-cve-stop-questioned/