NIST has stopped enriching its vulnerability list - and no one knows why

News
By Sead Fadilpašić
published

NIST apparently wants to improve certain processes.

Padlock against circuit board/cybersecurity background
(Image credit: Future)

The US National Institute of Standards and Technology (NIST) is working on improving how it adds vulnerabilities to its National Vulnerability Database (NVD), but the process has left many organizations tapping in the dark when it comes to securing their premises.

The process began in mid-February 2024, when researchers observed a severe drop in the number of software vulnerability enrichments in NVD, the most popular database for software vulnerabilities on the planet.

Enriching an NVD entry means adding crucial metadata to a disclosed vulnerability: what the flaw is, which software it affects, how severe it is, etc.

Replacing CPE

Without this information, IT teams everywhere will only know that a certain vulnerability exists - it’s up to them, and their peers, to establish where it exists, how dangerous it is, and how it can be addressed. Apparently, since the drop was first spotted, more than 2,500 vulnerabilities were added to the database, without crucial information.

As expected, the industry rallied, and NIST was forced to respond. A few days later, a NIST announcement said there could be “delays in analysis efforts” because NIST “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.”

This explanation seems to have only made things worse. Some users wanted to know more about the consortium, its members, its modus operandi, and other details. Others were questioning the necessity for such a major change, as the industry set up a “pretty efficient” system that’s been in use for years. NIST is yet to provide further details. 

In truth, nobody really knows what NIST is trying to achieve, or why. Some speculate that the organization is looking to replace Common Product Enumerators (CPE), possibly with Software Identification (SWID) tags. Whatever the case may be, NIST was heavily criticized for its lack of transparent communications.

Via Infosecurity Magazine

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.