US agency NIST says it is trying to pull in support from other agencies and industry partners amid a mounting backlog of software vulnerabilities awaiting analysis under its struggling NVD programme – but one CEO told The Stack that NVD’s plans for a new consortium were “doomed”.
Patience is running thin in the cybersecurity community as National Vulnerability Database (NVD) updates flatline. This week, 50 cybersecurity professionals called for Congress to urgently “establish a plan, with clear timelines and accountability, to improve NVD processes and operations.”
They issued a letter on April 15 after NVD updates slowed to a trickle – describing the NVD as “the backbone of vulnerability management across the globe” and calling for it to be treated as critical infrastructure.
(Signatories included EY Managing Director Brian Levine, Chainguard CEO Dan Lorenc, Okta Vulnerability Management Director Maryann Horst, and Tim Pletcher, from HPE’s Office of the Security CTO, among others.)
NVD crisis: What’s happening?
The NVD analyses CVEs, or codes allocated to software vulnerabilities, and augments them with additional information like CVSS (severity) scores and CWE (details on the specific type of weakness) to inform defenders.
It pulls them in from the CVE.org database before enriching them.
But this year it has analysed fewer than half of the CVEs it has received (10,000+) after an abrupt and still unexplained slowdown that started in February. Since March 1 the NVD has analysed fewer than 300 CVEs.
That has left enterprise cybersecurity teams without critical intelligence.
Earlier request for comment by The Stack saw the NVD promise an interview with a programme manager, then renege on that decision. It instead furnished a statement that does not disclose detail on its issues.
See also: AWS overhauls IAM control plane after vulnerability exposed users
NVD said the slowdown was “based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.” (It did not clarify what this meant.) “We are also looking into longer-term solutions… including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD,” it added.
Industry stakeholders say that their questions have also not been answered. A presentation by an NVD programme manager at the VulnCon conference in late March referred to a “silly” government problem, as being behind the issue. Critics say that they have heard NVD’s plans for an industry consortium before, but that little substantial has come of them.
Less money, mo' problems?
NIST recently saw its budget slashed under a March 3 congressional funding Act; receiving $1.46 billion, nearly 12% less than in 2023.
That alone does not appear to have been the cause of the issues. Industry rumours passed on to The Stack also suggest that one CNA, or entity authorised by the CVE Program to assign CVE IDs to vulnerabilities, had erroneously uploaded a large tranche of data to the NVD that was not, in fact, CVE records – causing breakage/pollution of its systems that it is still trying to manually clean up. (We could not independently confirm this.)
In this week’s letter, which was addressed to members of Congress and the Secretary of Commerce, cybersecurity professionals including CISOs and researchers called for urgent action to address not just “the backlog of vulnerabilities at NVD” but also, longstanding issues like a “lack of support for standard file formats, and redundant or conflicting vulnerability scoring,” saying “this plan should be developed openly with public and private stakeholder input with a public comment period.”
Some of those issues result from the plethora of CNAs that are able to assign CVEs and publish CVE records that ultimately get pulled in by NVD. (There is currently 367 CNAs. Not all are strict about how they publish.)
Tom Alrich, a cybersecurity specialist and co-leader of the Open Source Foundation for Application Security (OWASP)’s SBOM Forum, told The Stack: “The NVD has a number of single points of failure. And presumably one of them failed! The amazing thing is that it seems they're having trouble even finding out what it is, that's the problem. It's so ancient…”
Alrich suggested that the CVE.org database has a much more modern infrastructure and “already has all the data that the NVD does. This is because the CVE reports come to CVE.org first, before they get passed on to the NVD”, suggesting that one fix might be to make CVE.org the nation’s (and the world’s) premier vulnerability database instead.
He suggested that a failure to take this route or resolve the issue more swiftly may have political roots: “CVE.org is [part of the] Department of Homeland Security. NVD is part of the Department of Commerce. Whenever in government you have a problem that needs to be resolved between two departments, you have to go to their common boss…”
A fix, he suggested, at this point may require “White House intervention”.
Alrich told The Stack that the NVD was fundamentally flawed even before its current apparent outage. He said: “CNAs don't follow the specifications [of the CPE that would make the database richer and more searchable.] The bigger problem here,” he suggested, is a data hygiene one: “There's no canonical way to refer to a supplier or to a product!”
The CPE is a naming convention that CNAs are meant to follow when publishing CVEs – stay with us! Alrich said it was a “terrible identifier” and is proposing that NVD use a specification called purl instead which he told The Stack "outside of the NVD and its clones is literally the only software identifier that's used today in vulnerability DBs..."
Dan Lorenc, CEO of software security firm Chainguard, meanwhile told The Stack: “The NVD was never perfect but it mostly worked. The biggest issues was a very slow update process to help correct missing or incorrect data. We still need the NVD to do scoring and product matching,” he said. (Alrich disagrees, saying "There are already at least five or six major vulnerability DBs, as well as a lot of minor ones. Some of them have a lot more data than the NVD does...")
Lorenc added by DM: “Some CVE 5.0 changes allow CNAs to help more here, but not all do that and it's harder to trust CNAs than it is NIST.”
(CVE 5.0 is a format that aims to normalise how CVE data is presented. The NVD began transitioning to it in late 2023. CVE.org meanwhile implemented the 5.0 spec in 2022, and they've now already implemented the 5.1 spec, which allows purl identifiers to be used in CVE reports.)
NVD’s apparently half-baked plans to bring in a public-private consortium (it has published few details in public and not shared more in private) were “doomed” Lorenc said. The program was just “too slow” and it looked like it would end up being a “pay to play” system he said.
(Alrich said it would not be pay-to-play but that "every organization that wants to join will have to negotiation their own unique Cooperative R&D Agreement (CRADA) with NIST... guess how long that might take!")
Meanwhile along with his fellow signatories Lorenc wants near-term action.
As the letter puts it: "Beginning with Executive Order 14028 the United States Government has pursued an ambitious agenda to raise the bar for cybersecurity capabilities across multiple dimensions. NVD operations are a core building block of these efforts, and the current state of NVD operations is hindering our progress. This situation must be corrected with a sense of urgency appropriate tothe broader strategic imperative of securing our systems infrastructure."
