Security News > 2024 > March > NVD slowdown leaves thousands of vulnerabilities without analysis data

NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.

That's a good thing, because a CVE without its NVD data is pretty meaningless.

Just weeks after the NVD update, Josh Bressers, VP of Security at software security outfit Anchore, published a post noting that since "February 15, 2024, NIST has almost completely stopped updating NVD.".

As Lorenc pointed out, "Scanners, analyzers, and most vulnerability tools rely on the NVD to set these fields so they can determine what software is affected by which vulnerabilities."

The good news is that the NVD isn't the only single source of truth for security bugs.

There are also efforts to replace NVD. Bressers has revealed that Anchore has an open source project called NVD Data Overrides.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/22/opinion_column_nist/