The U.S. National Vulnerability Database (NVD) was taken down by its administrators at the National Institute of Standards and Technology last Friday, March 8.
As of this morning, the site shows this message:
Site/Page Not AvailableThe NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.
Kim Halavakoski, chief security officer at Crosskey Banking Solutions, broke the news on his Google+ page. After trying to retrieve some data from the site and finding it down, Halavakoski contacted the site administrators and received a note explaining the situation. The salient points:
- On Friday, March 8, a NIST firewall detected suspicious activity and took measures to block traffic related to it.
- The servers on which the activity was detected were taken down.
- Malware was discovered on two NIST Web servers.
- The malware was traced to a software vulnerability.
- There is no evidence the NVD itself spread malware.
- NIST has no further information on when the NVD will be back up.
In a subsequent post, Halavakoski noted that Netcraft data shows NIST had been running IIS 7.5 for years, but after the breach, it was listed as running Linux and Apache. Netcraft's "risk rating" for the site is 0/10.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.