Amid funding cuts, backlog of unanalyzed vulnerabilities in gov’t database is growing


Recent research reveals that over 90% of submissions to the government’s National Vulnerabilities Database (NVD) have remained unanalyzed or unenriched since the agency announced cutbacks earlier this year.

Funding shortages and an influx of vulnerabilities have compelled the NVD to scale back its operations, particularly affecting the process of CVE enrichment, which involves adding crucial public information after assigning a vulnerability number.

According to a study by VulnCheck, since the cutbacks were announced in February, out of the 12,720 new vulnerabilities added to the NVD, a staggering 11,885 have not undergone analysis or enrichment with essential data crucial for security professionals.

VulnCheck’s analysis also indicates that nearly half of the vulnerabilities classified as exploited have not been analyzed by the NVD since the slowdown, and a substantial 82% of bugs with a public proof-of-concept exploit remain unexamined.

Patrick Garrity from VulnCheck emphasized the detrimental consequences of this situation, stating that it provides malicious threat actors with an advantage in weaponizing vulnerabilities, thereby increasing supply chain risks across critical sectors.

Garrity highlighted the NVD’s crucial role over the past two decades in providing cybersecurity experts with vital information on severity scores, reference tags, and vulnerability classifications for popular software. He expressed concern about the bleak outlook for the NVD in the absence of such critical data.

Proposing a way forward, Garrity suggested that cybersecurity companies must step in to fill the void left by the NVD’s slowdown. He emphasized the importance of CVE Numbering Authorities (CNAs) enriching CVE records comprehensively, including detailed information about vulnerabilities.

Garrity also recommended prioritizing automation of CVE enrichment and allowing third parties to enrich CVE data to bridge information gaps effectively.

Responding to the concerns raised by the security community, the Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of an enrichment effort called “Vulnrichment.” This initiative aims to add essential information to CVEs, addressing many of the issues highlighted by Garrity.

CISA assured that it is actively working to enrich CVEs and urged all CVE Numbering Authorities (CNAs) to provide complete CVEs during initial submissions.

In addition to these efforts, lawmakers have advocated for full funding for the NVD under the National Institute of Standards and Technology (NIST) to address the current challenges effectively.