NIST’s NVD has encountered a problem>
Help Net Security – Zeljka Zorz
The NVD has been struggling since mid-February 2023, failing to fully update vulnerability entries with details like descriptions, severity scores, references, and CPE metadata.
This is impacting vulnerability management efforts, as many security tools rely on the NVD’s CPE entries to pinpoint and address flaws across an organization’s systems.
NIST has not provided a clear explanation for the problem or timeline for resolution.
While alternative free databases like OSV and GitHub Advisory exist, the NVD remains crucial for metadata on proprietary software vulnerabilities.
Security vendors like Rapid7 and Qualys have reassured customers their products don’t solely depend on the NVD.
The situation highlights long-standing issues with the NVD and need for a more sustainable vulnerability database solution.
Proposed solutions include an interim database with better identifiers, and a long-term internationally-supported alternative not reliant solely on government funding.
There are calls for the NVD to either undergo drastic changes or be replaced entirely to better serve the cybersecurity community’s vulnerability management needs.
Link: https://www.helpnetsecurity.com/2024/03/19/nvd-vulnerability-management/