Backlogs at National Vulnerability Database prompt action from NIST and CISA

Original Source: CSO Online


“This is something our team at Chainguard tracks quite closely, as we patch CVEs daily in open-source security projects. We are now relying on industry alternatives and social media to ensure we are triaging CVEs as quickly as we can versus waiting for NVD to triage and publish.”

The NVD situation became so desperate that Chainguard, along with more than 50 other cybersecurity researchers and practitioners, wrote a letter in April to the US House and Senate Science, Space, and Technology and Appropriations committees, and Commerce Secretary Gina Raimondo, pleading for legislative intervention.

“In recent years, vulnerability exploitation has resulted in significant societal impacts, including major ransomware attacks on critical infrastructure,” they wrote, and went on to note that the NVD “is a critical tool in defending against these threats, and its continued availability is essential for national security. We are deeply concerned by recent changes which threaten to cripple the NVD and urge you to investigate thoroughly and prioritize modernization of the database.”

The NVD is seen as an essential resource for companies planning their security processes

The NVD is a standardized platform for reporting and scoring security vulnerabilities and it serves as a valuable starting point for corporate security triage processes, providing an initial assessment of a vulnerability’s importance and urgency, said Shane Miller, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “The NVD’s classifications also provide data that help form a high-level view of security trends across the industry.”

The NVD also plays a vital role in helping CISOs and their organizations to allocate security resources efficiently. “With tens of thousands of vulnerabilities discovered each year, cybersecurity professionals need a reliable method to select which vulnerabilities to remediate first,” said James Robertson, cyber-DevOps program director at the University of Maryland Global Campus (UMGC).

“Since we don’t have the resources to mitigate all vulnerabilities, we need a method to rank order them based on possible impact and exploitability to an organization. Enter the NVD and their Common Vulnerability Scoring System,” Robertson said.

Source URL:

Author: CSO Online