NIST's Vuln Database Downshifts, Prompting Questions About Its Future
NVD may be in peril, and while alternatives exist, enterprise security managers will need to plan accordingly to stay on top of new threats.
Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination.
That's when NVD posted on its website a very cryptic announcement saying users "will temporarily see delays in [our] analysis efforts" as the National Institute of Standards and Technology (NIST) implements improved tools and methods. No further explanation has been forthcoming.
The freeze isn't completely across the board: A small percentage of CVEs is being documented by NIST, but by no means at the same velocity seen in prior years. This puts enterprise security managers in a bind to stay on top of new threats.
The CVE model is composed of 365 partners who collect threats, with about half of them US-based, covering a wide range of software vendors, bug bounty operators, and private research firms. Each participant posts new threats according to a careful schema to ensure that the new items are unique. Since the beginning of the year, there have been more than 6,000 new CVEs posted.
But for some unexplained reason, nearly half of these have omitted any details in the NVD, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers.
One of these tools is Tenable's Nessus vulnerability scanner. Its researchers point out that NIST's NVD provides added context to each particular vulnerability, context that can determine whether the threat is critical and requires immediate patching or can affect a wide population of applications and operating systems.
Dan Lorenc, CEO of Chainguard, wrote a post on LinkedIn last month documenting the situation. "The [latest] CVE entries do not contain any metadata around what software is actually affected," he wrote. "This is a massive issue and the lack of any real statement on the problem [by NIST] is troubling."
Lorenc isn't alone in that sentiment. "This is a data set of national importance," says Josh Bressers of Anchore, who also posted comments about the situation earlier this month. "I would have expected clearer communications because no one knows anything. It is all a mystery."
NIST representatives didn't reply to requests for comment from Dark Reading.
Before the February freeze, NIST regularly updated each CVE with this useful metadata; sometimes these updates would take weeks or months from the date of their discovery to disclosure in the NVD entries. "However, as the industry has seen, waiting on NIST to supplement CVE records comes at a cost. With more CVEs being issued every year, we now have more opportunities for software vendors to provide more complete CVE records," Tenable researchers said. Translated, that means someone else has to pick up the slack.
Morphisec, a security tools vendor, published a blog post describing the NVD situation earlier this month. "Smaller organizations are constantly chasing patches. The lack of metadata with NVD means they are losing the immediate benefits and will reduce their overall security,” says Michael Gorelik, CTO of Morphisec. “This means that potential business disruption is inevitable, especially in the ransomware-rich landscape we have today. This is a bigger immediate problem than the threats posed by GenAI."
Tom Pace, CEO of Netrise, says the freeze is a problem. "We don't know the impacts of particular vulnerabilities anymore," he says. "This is not a good state of affairs. This data set is relied on by many people around the world. This is going to make patching more difficult and slower." That means bad actors have more time to find their way into enterprise networks.
One Alternative: MITRE Steps Up to Fill the Gap
NIST may be the agency responsible for NVD, but the lion's share of the actual work product that is behind it comes from the well-known defense contractor MITRE, since it takes care of the CVE collection. Pace says, "It isn't technical — why isn't MITRE picking up the slack? NIST has a smaller crew anyway." He calls out MITRE for falling down on its mission and leaving security teams in the dark.
Dark Reading's requests for further information from MITRE were rebuffed: "MITRE is unable to speak on this topic currently," said a company representative. Pace asks, "How can private industry figure it out on their own?"
Private industry has been working on NVD alternatives, to be sure. To that end, one security consultant commented on LinkedIn that "NVD can't be fixed and we have to give it up and fix both it and CVE together. The US government isn't going to solve this, and solutions have to be driven by the private sector."
There are numerous other data collections that have been created over the decades. Several security vendors, such as Tenable, Qualys, and Ivanti, have created their own vulnerability collections that contain more metadata details and other items to help prevent attacks. And there are several open source efforts that have been underway for years but have lately gotten more attention, thanks to the NVD freeze.
One open source effort is from VulnCheck, which has its NVD++ collection. Another is the Open Vulnerability Database (OVD) from a variety of vendors, including Google, SonarSource, GitHub, Snyk, and others. Both of these arose out of a frustration by NVD users who wanted to have better automated queries of the vulnerability data. The NIST NVD had imposed rate limits on these queries, which both NVD++ and OVD have eliminated. Switching to either collection from NIST's NVD isn't simple and will require some programming effort and testing time.
Another effort comes from China, where several government agencies have banded together to have their own vulnerability database. That could be bad news for the rest of the world because it will have restrictions on what will be published, such as lacking any proof-of-concepts that are typical of the NVD and open systems efforts. Researchers speculate that this could also lead toward more Chinese zero-day attacks, in effect, weaponizing these vulnerabilities.
Another Solution: A New Industry Consortium
Information on the NVD website cites a consortium that could operate the database, although security researchers are skeptical. The statement was thin on specifics, such as who will be part of the effort. Pace says, “We’ve been disclosing and enriching vulnerabilities following the same process for years, and pretty efficiently. Why would we need a consortium now?” Bressers says a consortium is possible, but the devil will be in the details when making a more useful successor to NVD. He mentions that vulnerabilities continue to see exponential growth and that any solution has to scale accordingly.
Finally, another complexity with the NVD freeze is that it goes counter to reporting requirements from other parts of the federal government. The latest version, Rev. 5, of the Federal Risk and Authorization Management program mandates that federal contractors have to use NVD as an authoritative source of threats. “It feels like NIST is somehow trying to wind this program down or hand it off while other areas of the government are forcing its adoption,” noted Lorenc in his blog post. "What is going on here?"
Next week, vulnerability researchers will gather for the VulnCon conference in Raleigh, N.C., where an "NVD symposium" is on the agenda. Perhaps more details will emerge then.
About the Author
You May Also Like