Backlogs at National Vulnerability Database prompt action from NIST and CISA (2024)

A crisis at the key US service for ranking vulnerabilities has been fueled by short resources and an explosion of security flaws as the volume of software production increases.

Credit: Shutterstock

Backlogs at the US National Vulnerability Database (NVD), a critical source of information about security flaws in software, have reached crisis proportions, prompting federal agencies to seek help from the private sector.

The NVD has been steadily falling behind on its mission to act as a centralized and reliable source of standardized vulnerability information but in February it became apparent that backlogs were crippling the repository.

“There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” the National Institute of Standards and Technology (NIST) warned on the NVD’s website.

Those backlogs are severely impacting the NVD’s maintenance of common vulnerabilities and exposures (CVE) information, including common platform enumeration (CPE) matching, which is used to identify vulnerable software components.

“We are seeing a delay in CVEs being updated to the NVD as well as a significant decline of CVEs listed as ‘analyzed’ versus ‘waiting for analysis’ from the previous year,” said Kaylin Trychon, vice president of marketing at Chainguard, a software supply chain security company.

“It appears that the NVD has completely given up on adding CPE-matches to CVEs since sometime around February 15, meaning the CVE entries do not contain any metadata around ‘what software is actually affected,'” Trychon said.

“This is something our team at Chainguard tracks quite closely, as we patch CVEs daily in open-source security projects. We are now relying on industry alternatives and social media to ensure we are triaging CVEs as quickly as we can versus waiting for NVD to triage and publish.”

The NVD situation became so desperate that Chainguard, along with more than 50 other cybersecurity researchers and practitioners, wrote a letter in April to the US House and Senate Science, Space, and Technology and Appropriations committees, and Commerce Secretary Gina Raimondo, pleading for legislative intervention.

“In recent years, vulnerability exploitation has resulted in significant societal impacts, including major ransomware attacks on critical infrastructure,” they wrote, and went on to note that the NVD “is a critical tool in defending against these threats, and its continued availability is essential for national security. We are deeply concerned by recent changes which threaten to cripple the NVD and urge you to investigate thoroughly and prioritize modernization of the database.”

The NVD is seen as an essential resource for companies planning their security processes

The NVD is a standardized platform for reporting and scoring security vulnerabilities and it serves as a valuable starting point for corporate security triage processes, providing an initial assessment of a vulnerability’s importance and urgency, said Shane Miller, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “The NVD’s classifications also provide data that help form a high-level view of security trends across the industry.”

The NVD also plays a vital role in helping CISOs and their organizations to allocate security resources efficiently. “With tens of thousands of vulnerabilities discovered each year, cybersecurity professionals need a reliable method to select which vulnerabilities to remediate first,” said James Robertson, cyber-DevOps program director at the University of Maryland Global Campus (UMGC).

“Since we don’t have the resources to mitigate all vulnerabilities, we need a method to rank order them based on possible impact and exploitability to an organization. Enter the NVD and their Common Vulnerability Scoring System,” Robertson said.

“The CVSS in the NVD provides a qualitative measure of the severity of the vulnerabilities so the most severe threats can be mitigated quickly limiting possible serious damage. This is not that different from the role of a physician in an emergency room making sure the most serious illnesses are attended to first.”

The database is also an important tool in the maintenance of US national security

The NVD supports a strong cybersecurity infrastructure for the United States, Robertson said. “Backlogs in applying a CVSS for each vulnerability can put the nation at risk of increased cyber attacks, including ransomware attacks and the spread of malicious malware.”

Gartner research analyst Mitchell Schneider cautioned, however, that while organizations facing many different types of exposures are struggling with what to work on first, relying on the CVE, NVD, and CVSS scoring can be only of minimal benefit to them. “It’s better to use a prioritization engine supplied by a commercial vendor,” he said, “but not everyone wants to pay for that, so they depend on the NVD.”

A big contributor to the NVD backlog is the flood of vulnerabilities reported to the repository — more than 100 per day in 2024, according to David Lindner, CISO of Contrast Security, a maker of self-protecting software solutions.

“The number of CVEs is growing at an astounding rate, while the resources available to analyze those CVEs are not,” the Atlantic Council’s Miller said. “There were more than 4,000 critical severity vulnerabilities reported in 2022, up more than 59% over the previous year.”

More software development means an increase in reported vulnerabilities

“The number of reported CVEs is growing because of both the increasing rate of software development and increasing pressure to publicly report security vulnerabilities,” she said. “The number of software developers worldwide grew by 45% in the last two years, from 26.8 million to 38.9 million. That’s 12 million more people creating and reporting software security vulnerabilities in just two years.”

Software growth isn’t the only reason for CVE bloat. “To make vulnerabilities manageable by the NVD or anyone else, there needs to be some quality considerations to ensure that only valid vulnerabilities receive a CVE identifier assigned to them,” said Lars Wiebusch, team lead of security research, at Flexera, a provider of SaaS-based IT management solutions.

“Some organizations seem to utilize automated ways to generate CVE identifiers, which results in overeager reporting,” Wiebusch said. “Some providers of CVE identifiers are apparently bragging about the sheer number of vulnerabilities produced.”

Budget issues may also be contributing to the backlog. NIST’s latest $1.46 billion budget is nearly 12% lower than the previous year. “NIST being a U.S. government entity is beneficial as a trust factor but may be detrimental because of funding cuts,” Wiebusch said.

An industry consortium to the rescue?

NIST and the US Cybersecurity and Infrastructure Security Agency (CISA) are fashioning initiatives aimed at addressing the backlog problem. In March, the NVD’s program manager Tanya Brewer announced intentions to form an industry consortium to help improve the database.

“I think it’s a good idea,” said Nick Hyatt, director of threat intelligence at Blackpoint Cyber, a threat hunting, detection, and response technology provider. “The government should continue to work with the security community to establish good relationships and move the industry forward. The NVD is a valuable resource, so NIST should do whatever they can to maintain the quality and availability of the NVD.”

“There are many gifted and talented cybersecurity professionals who can help solve the problem,” Robertson said. “Giving them a voice in this time of need could be very helpful.”

“This is a big engineering problem to solve,” he continued. “In general, adding talented team members on this project to prepare a solution is generally a good idea. The challenge is always coordination and setting the focus on the issues at hand to make sure valuable time isn’t wasted.”

While a consortium could bring valuable resources and expertise, potentially speeding up analysis and reporting, it could also introduce politicization and commercialization to the project, Lindner says.

“A diverse consortium risks disagreements and delays if there’s no strong governance model,” he said. ”Allowing commercial entities into the process could lead to them prioritizing vulnerabilities affecting their products or solutions, or even prioritizing vulnerabilities to gain commercial advantage, which could potentially skew the NVD’s objectivity.”

“Transparency and careful oversight would be crucial to mitigate these risks and ensure the NVD remains a neutral and reliable source of information.”

Trychon said she does not believe a consortium is the right solution. “The NVD should remain independent. While industry collaboration with NIST and the NVD should be encouraged, a single entity should clearly own and operate NVD, given its critical role as a source of truth for the federal government.”

CISA’s ‘Vulnrichment’ project could help fill in the gaps

Meanwhile, CISA announced at the RSA conference in May its “Vulnrichment” project aimed at filling the CVE enrichment gap created by the current backlog at the NVD. The project, hosted in a public GitHub repository, will add to CVE records CPE identifiers, CVSS scores, Common Weakness Enumeration (CWE) identifiers, and exploitation statuses.

The enriched information will be provided as a supplement in standard CVE JSON format so vulnerability management systems can easily ingest it. “CISA’s effort could significantly help solve the current NVD backlog,” Tychon said.

“This enriched data enhances the prioritization of vulnerability remediation efforts, facilitates a deeper understanding of vulnerability trends, and incentivizes vendors to address broader vulnerability classes,” said Sarah Jones, a cyber threat intelligence research analyst with Critical Start, a national cybersecurity services company.

“The program’s collaborative nature, which incorporates CNAs, software suppliers, and the private sector, signifies a positive step towards closing the enrichment gap.”

While CISA’s program has good intentions, its limited adoption suggests it needs further development, added Lindner. “The goal of providing more data for vulnerability prioritization is commendable, but this information should ideally be integrated directly into CVEs via the NVD. Centralization would reduce fragmentation in vulnerability data.”

“More importantly, even the best data is irrelevant if your applications don’t use the affected components, emphasizing the need for runtime analysis of third-party libraries.”

Moving forward, the demands on the NVD will continue to grow. “We have more software than ever, more code than ever, and it’s being deployed at a larger scale than ever,” said Erik Nost, a senior analyst with Forrester, a national market research firm.

“Researchers identifying flaws has grown as well — which is a good thing. So, you’ve got more software than ever, and more people than ever assessing it.”