NIST shifts vulnerability scoring
- NIST will move the National Vulnerability Database to a risk‑based model and stop rating lower‑priority flaws. - The change follows a 263% surge in CVE submissions since 2020, overwhelming scoring capacity. - That means public severity data will be sparser for the long tail of devices, shifting patch-priority decisions back to defenders (bleepingcomputer.com).
The U.S. government’s main public flaw database is changing how it scores software bugs, and many lower-priority entries will no longer get a NIST severity rating. (nist.gov) The National Institute of Standards and Technology said on April 15 that the National Vulnerability Database will shift to a “risk-based” approach after Common Vulnerabilities and Exposures, or CVE, submissions rose 263% since 2020. NIST said the volume outpaced the staff time needed to analyze every record. (nist.gov) Under the new workflow, NIST will keep enriching vulnerabilities that affect the U.S. federal government, appear in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, or involve “critical” software and hardware. Lower-priority CVEs will still appear in the database, but many will carry only the information supplied by the original CVE source. (nist.gov) The database matters because it is the federal repository many scanners, patch tools, and compliance systems use to turn a bug report into a standardized record with product names, references, and impact metrics. NIST says that data helps automate vulnerability management and security measurement across government and industry. (nist.gov, nist.gov) A severity score is not the same thing as real-world danger. NIST’s own guidance says the Common Vulnerability Scoring System, or CVSS, measures severity, not risk, which is why the agency is now prioritizing flaws tied to active exploitation, federal use, or high-value systems. (nist.gov, nist.gov) The shift follows a year of strain at the database. In April 2024, NIST disclosed a growing backlog of vulnerabilities awaiting analysis and said the pileup reflected changes in interagency support and rising submissions. (nist.gov) NIST has also been changing how it ingests data. In November 2024, the agency said its systems would begin taking supported data types directly from CVE List Authorized Data Publishers, widening the flow of information coming into the National Vulnerability Database. (nist.gov) For security teams, the practical change is that more patch decisions will depend on vendor advisories, CISA alerts, and local context instead of waiting for a NIST-issued score on every CVE. CyberScoop reported that the narrower scope will leave NIST focused on critical software, federal systems, and vulnerabilities under active exploitation. (nist.gov, cyberscoop.com) The database is not going away; its role is being narrowed. NIST said the change is meant to stabilize the program now while it builds automated systems and workflow changes for the longer term. (nist.gov)
