The U.S. National Institute of Standards and Technology (NIST) has announced a significant policy change for its National Vulnerability Database (NVD), a foundational tool for cybersecurity professionals worldwide. Citing an unmanageable increase in vulnerability reports, the agency will now limit the detailed analysis, or “enrichment,” it provides for new Common Vulnerabilities and Exposures (CVEs).
This enrichment process is what transforms a basic CVE identifier into an actionable piece of intelligence. NIST analysts traditionally add critical context, including Common Vulnerability Scoring System (CVSS) severity scores, Common Platform Enumeration (CPE) data to identify affected products, and Common Weakness Enumeration (CWE) classifications. This information allows organizations to quickly assess risk and prioritize patching.
Under the new policy, many CVEs will appear in the NVD as placeholders without this vital context. According to an analysis by The Hacker News, “CVEs that do not meet those criteria will still be listed in the NVD but will not receive enrichment.” The specific criteria for full analysis have not yet been detailed.
The impact on security operations is immediate and substantial. Without NVD-provided CVSS scores, vulnerability management teams must now perform their own manual research and analysis to prioritize flaws, a time-consuming task that increases operational costs and the risk of misjudgment. Automated security platforms that rely on NVD data feeds for context will also see their effectiveness diminished, potentially leading to critical vulnerabilities being overlooked.
This decision follows months of growing backlogs and community concern over the NVD’s processing delays. The number of published vulnerabilities has grown consistently, with nearly 30,000 CVEs issued in 2023 alone. The change effectively shifts the burden of detailed vulnerability analysis from a centralized public resource to individual organizations, challenging long-standing security practices.
