Two Months In: Assessing the Impact of NIST's Enrichment Cutbacks

This article analyzes the effects of the U.S. National Vulnerability Database's (NVD) policy change, implemented on April 15, 2026, to prioritize enrichment for only a subset of CVEs. The author finds that two months in, roughly 5,100 out of 13,400 new CVEs were not scheduled for enrichment, and only about 20% of all published CVEs received a NIST CVSS vector. While time-to-analysis for prioritized CVEs has improved, the system remains sensitive to weekly volume spikes and still leaves a significant backlog. The article also highlights systemic inaccuracies in NIST's scoring compared to independent analysis, often differing in metrics like Attack Complexity and Privileges Required. The author argues that organizations can no longer rely on NIST alone for complete, timely, and accurate vulnerability data, and announces the availability of their own NVD-compatible API as an alternative enrichment source. 

https://blog.volerion.com/posts/two-months-in-nist-cuts-back-on-enrichment-efforts/

Comments

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

OWASP ZAP 2.16.0 Introduces Key Updates and Enhancements