NVD overwhelmed, reprioritizing
NIST says its National Vulnerability Database has seen submissions up roughly 263% since 2020 and is shifting to prioritize flaws that are already exploited in critical infrastructure. (x.com) The guidance means many newly reported bugs may wait for triage unless there’s evidence of active exploitation. (x.com)
The National Institute of Standards and Technology is no longer promising full writeups for every newly reported software flaw in the National Vulnerability Database. (nist.gov) The database is the federal catalog that adds severity scores, affected-product lists and other details to Common Vulnerabilities and Exposures, the standard IDs used to track security bugs. Starting April 15, 2026, the agency said it will “enrich” only selected entries instead of all of them. (nist.gov) NIST said submissions to the database rose 263% between 2020 and 2025, and the first three months of 2026 ran nearly one-third above the same period a year earlier. The agency said it enriched nearly 42,000 entries in 2025, 45% more than any prior year, but still could not keep up. (nist.gov) Under the new rules, NIST will prioritize flaws already listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog, with a goal of adding details within one business day of receipt. It will also prioritize software used in the federal government and “critical software” covered by Executive Order 14028. (nist.gov) Bugs that do not meet those tests will still appear in the database, but they will be marked “Not Scheduled” instead of getting immediate analysis. NIST said outside users can ask for a specific unscheduled entry to be enriched by emailing the program. (nist.gov) The shift follows a backlog that NIST had already disclosed in February 2024, when it said a growing pile of vulnerabilities was waiting for analysis because of rising volume and changes in interagency support. At the time, the agency said it was reassigning staff and exploring a consortium with industry and government partners. (nvd.nist.gov) The pressure is visible on NIST’s public dashboard. As of this week, the site showed 32,497 records “Awaiting Analysis,” 1,061 “Undergoing Analysis,” and 94,546 marked “Deferred.” (nvd.nist.gov) The Known Exploited Vulnerabilities list that now sits at the front of the line is maintained by the Cybersecurity and Infrastructure Security Agency and is updated frequently when attackers are seen using a flaw in the real world. CISA posted additions to that catalog on April 14, April 13 and several other dates this month. (cisa.gov) NIST also said it will stop routinely generating its own severity score when the organization that assigned the Common Vulnerabilities and Exposures number has already supplied one. The agency said the narrower workflow is meant to stabilize the database while it builds more automation for the longer term. (nist.gov)
