Voices in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis.
A group of 50 cybersecurity professionals signed an open letter that was sent on April 12 to the US Secretary of Commerce, Gina Raimondo, and several members of the US Congress.
The letter is titled A cybersecurity crisis in waiting: On the Need to Restore and Enhance Operations with the National Vulnerability Database.
In the document, the signatories urge Congress to investigate the ongoing issues with the NVD, help the US National Institute of Standards and Technology (NIST) restore vulnerability enrichment, and support the Institute in the modernization of the NVD program.
NVD Consortium: NIST’s Response to the Vulnerability Backlog
In early March, security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website. The drop had started in mid-February.
While vulnerability entries (known as Common Vulnerabilities and Exposures, or CVEs) continued to be added to the database, many were not fully analyzed.
This meant that crucial metadata about CVEs, such as the corresponding Common Weaknesses and Exposures (CWEs), Common Product Enumerators (CPEs) and criticality scores (CVSS), were not added to the database.
According to its own data, NIST has analyzed only 4398 of the 10,826 CVEs received so far this year.
No tags.
