Update delays to NIST vulnerability database alarms researchers>
SC Media – Simon Hendery
The NVD, maintained by NIST, is the world’s most widely used vulnerability database, adding information on over 29,000 flaws in 2022 alone
Recent entries in the NVD lack enrichment data like descriptions, impacted software, severity scores, weakness details, patch availability, etc. – information crucial for security teams
Only about 8% of entries added since Feb 12 have a CPE (common platform enumeration) associated, which helps identify affected software
NIST added a notice on Feb 15 acknowledging delays in CVE analysis, citing efforts to establish a consortium to improve the NVD program
The lack of enrichment affects over 2,000 entries, according to analyses by NetRise, Anchore and Cisco
Potential causes include a spike in reported vulnerabilities amid shrinking budgets at NIST, straining human analysis resources
This poses major challenges for vulnerability management tools and security efforts that rely on accurate NVD data to identify and prioritize risks
Experts criticize the lack of transparency from NIST on the issues, plans for the consortium, and potential delays
Comparisons are drawn to automotive recall processes, suggesting legislation may be needed to treat software vulnerabilities similarly.
Link: https://www.scmagazine.com/news/update-delays-to-nist-vulnerability-database-alarms-researchers