Key Takeaways
- NIST’s National Vulnerability Database (NVD) will prioritize enrichment for CVEs with the greatest potential widespread impact rather than enriching every record.
- All CVE identifiers remain publicly available; CVSS scores will continue to be supplied by CNAs, CISA, or NVD.
- The shift results from staffing cuts, reduced federal funding, and a steep rise in annual vulnerability disclosures that exceed NIST’s capacity.
- Industry experts acknowledge the logic of risk‑based focus but warn that reduced enrichment may cause some vulnerabilities to be missed, especially lower‑severity issues that can be chained in attacks.
- Proposed improvements include requiring richer data at CVE submission, automating enrichment workflows, and encouraging vendors to update CVE records promptly.
- Cybersecurity teams are advised to adopt proactive patching, engage vendors for confirmation, and consider embedding vulnerability‑reporting standards in procurement contracts.
Overview of NVD Operational Shift
Harold Booth, program manager for NIST’s National Vulnerability Database, announced at VulnCon26 that the NVD will no longer attempt to enrich every CVE record. Instead, the program will prioritize which vulnerabilities receive enriched data such as impacted product details, attack vectors, and contextual information. This change reflects a recognition that the volume of disclosed vulnerabilities has outpaced NIST’s ability to maintain comprehensive enrichment for all entries. Booth emphasized that the full list of CVE identifiers will remain publicly available, ensuring that organizations can still locate vulnerabilities of interest even if some lack NVD‑provided enrichment.
Reasons Behind NIST’s Prioritization Decision
The decision to prioritize stems from a combination of staffing losses, budget cuts, and an accelerating influx of vulnerability reports. In 2024 NIST lost approximately 12 % of its federal funding, triggering a talent exodus that weakened its capacity to process the growing backlog. Concurrently, the number of CVEs created each year has risen sharply, with CNAs generating around 40 000 records in 2025 and projecting up to 60 000 by the end of 2026. Booth explained that the prioritization criteria aim to capture CVEs with the greatest potential for widespread impact, thereby aligning limited resources with the needs of the majority of users.
Impact on Cybersecurity Practitioners
For many security teams, the NVD has served as a central repository not only for CVE IDs but also for enriched metadata that simplifies vulnerability triage, patch prioritization, and risk assessment. The reduction in enrichment means that practitioners will need to invest additional effort to gather missing details such as affected software versions, exploitability context, or remediation guidance. While the core identifier data remains intact, the loss of supplemental information can increase the time required to determine whether a specific CVE applies to an organization’s environment and to assess its true risk level.
Insights from Industry Leaders (Jessica Sica)
Jessica Sica, CISO at telecom software vendor Weave, acknowledged that the shift toward risk‑based prioritization is logical, arguing that focusing on high‑impact vulnerabilities mirrors internal risk‑management practices. However, she warned that the reduction in NVD enrichment will inevitably cause some vulnerabilities to be overlooked, particularly those with lower severity scores that could still be chained in attack sequences. Sica stressed that security vendors and enterprises alike have long relied on the NVD as a trustworthy, comprehensive source, and that the community must now consider alternative mechanisms—such as open‑source projects or private‑sector feeds—to fill the emerging gaps.
The CVE Enrichment Process Explained
Enrichment involves augmenting a basic CVE record with contextual data: the specific products and versions affected, the attack vector (e.g., network, local, physical), exploitability metrics, and references to public advisories or proof‑of‑concept code. This process typically requires analysts to review the reference materials submitted with the CVE, conduct manual internet searches for additional details, and sometimes contact vendors for clarification. Because each enrichment step is labor‑intensive, scaling the effort to tens of thousands of new CVEs annually has become untenable for NIST given its current staffing levels.
Challenges in Current CVE Submission Standards
Alec Summers, MITRE’s CVE/CWE project leader, noted that the minimum requirements for filing a CVE are deliberately sparse: an identifier, a brief description, and a reference to the impacted product. This “bare‑bones” approach leaves substantial work for downstream organizations like the NVD to flesh out the record. Lindsey Cerovnik of CISA highlighted that the lack of mandated data at submission time contributes to inconsistent enrichment quality and places an unfair burden on those tasked with maintaining the database. Efforts to tighten submission criteria are under discussion but have not yet been enacted.
Calls for Upstream Enrichment by CNAs
Former CISA technical adviser Bob Lord advocated moving the enrichment burden upstream to the CVE Numbering Authorities that initially issue the CVE. He argued that details such as application name, weakness class, and exploitability metrics should be supplied by the CNA at the time of issuance, rather than added later by the NVD. Lord’s view is shared by members of the CVE Consumer Working Group, who believe that complete, accurate, and timely CVE records would reduce reliance on downstream enrichment and improve the overall utility of the vulnerability ecosystem.
Issues with Vendor Timeliness in CVE Updates
Dick Brooks, co‑founder of Business Cyber Guardian, pointed out that many vendors reserve CVEs and publish security advisories but fail to update the corresponding CVE records within the required 24‑hour window. He cited Google as a frequent offender, noting that advisories sometimes appear while the associated CVE entry remains incomplete for weeks, eroding trust in the timeliness of the database. In contrast, Brooks observed that Apple generally adheres to the 24‑ to 48‑hour guideline, demonstrating that prompt updates are feasible when vendors prioritize the process.
Strategies for Cyber Teams to Adapt
In response to the reduced enrichment, Shane Fry of RunSafe Security advised organizations to shift focus toward building defenses directly into software, thereby preventing exploitation even before patches are available or vulnerabilities are disclosed. He noted that AI‑assisted tools and the rising volume of disclosures will only exacerbate the data overload, making proactive mitigation essential. Brooks added that cyber teams must become more diligent in contacting product owners to confirm whether a specific CVE affects their deployed assets, as the CVE identifier alone often does not reveal the exact product‑version mapping.
Role of Automation and AI‑Assisted Tools
Both Fry and other panelists highlighted the potential of automation and machine‑learning techniques to alleviate the enrichment bottleneck. Automated workflows could parse reference feeds, extract product‑version information, and populate enrichment fields with minimal human intervention. Fry referenced Anthropic’s Mythos as an example of AI‑driven vulnerability analysis that could help prioritize which CVEs merit deeper investigation, allowing human analysts to concentrate on the most critical cases.
Proactive Measures: Vendor Engagement and Patch Management
Adam Shostack urged organizations to accelerate patch deployment and to “grease the patch path,” thereby reducing the window of exposure for known vulnerabilities. He also suggested managing the risk associated with the patching process itself, such as limiting lateral movement of malware during updates. Shostack’s February write‑up outlined concrete steps to shrink potential blast zones, including network segmentation and strict change‑control procedures, to limit the impact of any exploit that might slip through.
Future Directions: Procurement Language and Community Initiatives
Brooks revealed that the U.S. energy sector is experimenting with procurement clauses that require suppliers to report product vulnerabilities promptly—ideally before a CVE is made public—and to update CVE records within the prescribed timeframe. He hopes this model can be adopted more broadly across industries, creating contractual incentives for timely and accurate vulnerability reporting. Additionally, community‑driven initiatives, such as open‑source vulnerability feeds or shared enrichment platforms, may supplement the NVD’s efforts and help maintain a reliable baseline of vulnerability information for defenders worldwide.