Reports that NIST has acknowledged it cannot process vulnerabilities at the rate they're being disclosed. The enrichment rate cratered in February 2024 and never recovered despite contractor support and recovery plans, with tens of thousands of CVEs sitting in 'Awaiting Analysis' status for months.
Argues that the quiet degradation of NVD doesn't just affect one tool — it degrades the entire downstream ecosystem that treats CVSS-scored, CPE-tagged CVEs as the atomic unit of vulnerability intelligence. Without enrichment, a CVE is essentially a placeholder that scanners cannot act on programmatically.
Notes that CVE submissions have been accelerating, driven partly by the expansion of CNA (CVE Numbering Authority) assignments to more organizations, while NIST's processing capacity remained flat or declined. The math simply never worked for recovery.
Frames the NVD as a two-decade-old backbone that tools like Qualys, Snyk, Tenable, and npm audit all depend on for severity scores and affected version data. The implication is that this single point of failure model is no longer sustainable and the industry must find alternatives or distributed enrichment approaches.
NIST has effectively given up on enriching the majority of CVEs in the National Vulnerability Database. As reported by Risky Business, the agency — which has been struggling with a massive and growing backlog since early 2024 — has now acknowledged that it simply cannot process the volume of incoming vulnerabilities at anything close to the rate they're being disclosed.
The NVD backlog isn't a temporary staffing problem; it's a structural collapse of the system the entire industry built its vulnerability management on. When NIST "enriches" a CVE, it adds the metadata that makes the raw identifier useful: CVSS severity scores, Common Platform Enumeration (CPE) strings that map vulnerabilities to specific products and versions, and reference links. Without that enrichment, a CVE is essentially a placeholder — a number with a description, but nothing your scanner can act on programmatically.
The backlog has been building for over two years now. NIST's enrichment rate cratered in February 2024 and never recovered. Tens of thousands of CVEs sit in the NVD with "Awaiting Analysis" or "Undergoing Analysis" status, some for months. The agency brought on contractor support and announced recovery plans, but the math never worked: CVE submissions have been accelerating (driven partly by the expansion of CNA — CVE Numbering Authority — assignments to more organizations), while NIST's processing capacity remained flat or declined.
The NVD has been the de facto backbone of automated vulnerability management for two decades. When your Qualys scan, your Snyk dashboard, your Tenable report, or your `npm audit` output gives you a severity score and tells you which versions are affected, that data frequently traces back to NVD enrichment. The quiet degradation of NVD doesn't just affect one tool — it degrades the entire downstream ecosystem that treats CVSS-scored, CPE-tagged CVEs as the atomic unit of vulnerability intelligence.
The practical impact is already visible. Security teams running compliance programs that require CVSS scoring for prioritization are finding gaps. Automated patch management systems that trigger on NVD severity thresholds are missing vulnerabilities entirely — not because the vulns don't exist, but because nobody scored them. If your vulnerability SLA says "patch all Critical CVEs within 72 hours," and a Critical-severity vulnerability sits unenriched for weeks, your SLA is technically met while your exposure grows.
This also complicates the regulatory picture. Frameworks like FedRAMP, PCI-DSS, and SOC 2 reference CVE/CVSS-based vulnerability management. When the authoritative source of CVSS scores stops producing them at scale, every organization downstream is left improvising — and auditors haven't caught up to that reality yet.
The community reaction on Hacker News (187 points) reflects genuine alarm from practitioners, not just academic concern. Multiple commenters noted they'd already observed the degradation in their own tooling — unenriched CVEs showing up as "unknown severity" in dashboards, compliance reports with gaps, and manual triage processes replacing what used to be automated.
If you haven't already, audit your vulnerability management pipeline's actual data sources. Many tools that appear to use "their own" vulnerability intelligence are, under the hood, enriching against NVD data. Ask your vendor explicitly: do you depend on NVD CPE matching? Do you fall back to NVD CVSS when you don't have your own score? The answers may surprise you.
Diversify your vulnerability intelligence now. The most viable alternatives:
- CISA Vulnrichment: CISA has been running its own CVE enrichment program specifically to backfill what NIST can't process. It's the closest thing to an official backup, but it's not yet comprehensive. - OSV (Open Source Vulnerabilities): Google's OSV database provides vulnerability data mapped to specific open-source packages and versions. If your stack is primarily open-source (and whose isn't?), OSV often has better, faster data than NVD for the ecosystems it covers. - GitHub Advisory Database: Covers npm, pip, Go, Rust, and other ecosystem-specific vulnerabilities with its own severity ratings and affected version ranges. - Vendor-native feeds: Tools like Snyk, Grype, and Trivy maintain their own vulnerability databases that don't solely depend on NVD. Verify this with your specific vendor.
The practical move is to stop treating NVD as your single source of truth and start treating it as one input among several. If your compliance program requires CVSS scores specifically from NVD, start the conversation with your auditor now — before your next assessment reveals the gaps.
For teams running internal vulnerability scoring, consider whether you can supplement missing CVSS data with EPSS (Exploit Prediction Scoring System) scores, which predict the probability of exploitation in the wild. EPSS data comes from FIRST, not NIST, and provides a different but arguably more operationally useful signal than CVSS alone.
This isn't really about NIST's budget or staffing, though those are contributing factors. The fundamental issue is that the CVE ecosystem was designed for an era when vulnerability disclosure happened at hundreds per year, not tens of thousands. The system scaled linearly while the problem scaled exponentially.
The CVE program itself narrowly avoided a funding crisis in 2025 when MITRE's contract was briefly in jeopardy. That was a near-miss that prompted the formation of the CVE Foundation as a backstop. But the NVD enrichment side — the part that makes CVEs operationally useful — has been quietly failing without the same level of drama or intervention.
There's an argument that centralized, government-run vulnerability enrichment was always going to hit this wall. The commercial vulnerability intelligence market (Qualys, Rapid7, Tenable, Snyk, etc.) has been building proprietary enrichment for years, partly because NVD was too slow even before the crisis. What's changed is that NVD has gone from "slow but eventually complete" to "incomplete and getting worse."
The most likely outcome is a gradual, messy transition to a federated model where multiple organizations contribute enrichment data — essentially what CISA's Vulnrichment is prototyping. The CVE Foundation may eventually take on coordination of enrichment alongside identifier assignment. But that transition will take years, and in the meantime, the industry is operating with degraded visibility.
The teams that adapt fastest — by diversifying their vulnerability data sources, building internal enrichment capabilities, and updating compliance language to reflect reality — will have a genuine security advantage. Everyone else will be managing vulnerabilities with an increasingly outdated map. The NVD isn't dead, but it's no longer the reliable utility the industry assumed it would always be. Plan accordingly.
The deluge of new security reports is somewhat of a pain in the butt for those of us who have written notable open source software decades ago that is still in use. I recently got about a dozen reports from one reporter, and they look to be AI-assisted reports.Long story short, the reports were thin
So first off - NVD has been sliding for a long time now. This has nothing to do with mythos. The amount of money that goes into this program for the output is straight up criminal.For a very long time the security world has basically given up on defense and relies on prioritizing cves. This is wrong
The NVD was an absolutely wretched source of severity data for vulnerabilities and there is no meaningful impact to vendors/submitters supplying their own CVSS scores, other than that it continues the farce of CVSS in a reduced form, which is a missed opportunity.
https://archive.ph/S8ajd"Enrichment" apparently is their term for adding detailed information about bugs to the CVE database.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.It is true but the reverse is also true. I