Key Takeaways
- The National Institute of Standards and Technology (NIST) announced that the National Vulnerability Database (NVD) can no longer keep up with the exponential growth in vulnerability submissions.
- Starting immediately, NIST will only “enrich” (add descriptions, severity scores, etc.) CVEs that meet new criteria: those listed in CISA’s Known Exploited Vulnerabilities catalog, those affecting federal‑government systems, or software deemed “critical.”
- CVEs that do not meet the new criteria will remain listed in the NVD but will no longer receive enrichment; they will be moved to a “Not Scheduled” category for older entries.
- NIST will rely entirely on submitter‑provided severity scores and will develop automated processes to handle the growing volume sustainably.
- The agency acknowledged a growing backlog from 2024‑2025 that it cannot clear under current resources, and it urged the community to request enrichment on a case‑by‑case basis via email.
- Experts warn that the democratization of AI‑driven code review is flooding the vulnerability pipeline with low‑severity findings, making centralized triage increasingly unsustainable.
Background: The Growing Burden on the NVD
The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), has long served as the central repository for publicly known cybersecurity vulnerabilities. Each entry—identified by a Common Vulnerabilities and Exposures (CVE) identifier—receives a description, severity score (using the Common Vulnerability Scoring System, CVSS), remediation guidance, and references to relevant advisories. Historically, NIST aimed to enrich every CVE that arrived at the NVD with this contextual information.
However, the volume of vulnerability reports has risen dramatically in recent years. Driven by the proliferation of open‑source software, the proliferation of automated code‑scanning tools, and the widespread adoption of AI‑assisted code review, the number of CVEs submitted to the NVD has risen exponentially. In the first three months of 2026 alone, submissions were nearly one‑third higher than the same period in 2025, and NIST reported enriching nearly 42,000 CVEs in 2025—a 45 % increase over any previous year. Despite these efforts, the incoming flow now outpaces the agency’s capacity to enrich every record.
The Decision to Prioritize Enrichment
Faced with an unsustainable influx, NIST announced a shift from “enumerate‑everything” to a risk‑based prioritization model. Effective immediately, the NVD will only enrich CVEs that meet one of the following criteria:
- Listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog – vulnerabilities that have been observed being exploited in the wild.
- Affecting federal‑government systems or designated “critical” software – as defined by CISA and federal acquisition regulations.
All other CVEs will remain in the NVD database but will not receive additional description, CVSS scores, or remediation guidance.
NIST emphasized that this change does not remove the CVEs from public view; they remain searchable and downloadable. However, users will no longer receive the agency’s enrichment for those entries, meaning they must rely on the submitter’s original description and severity score—or request enrichment manually via email.
Moving the Existing Backlog
NIST acknowledged a substantial backlog of CVEs submitted during the 2024‑2025 funding crisis, when staffing cuts left 90 % of submissions unenriched. The agency pledged to address the legacy backlog by moving all CVEs with a publish date before March 1, 2026 into a new “Not Scheduled” category. These entries will remain searchable but will not be automatically enriched moving forward. NIST stated that it will manually review the backlog and promote any items that meet the new enrichment criteria on a case‑by‑case basis.
Reliance on Submitter‑Provided Scores
To reduce the analytical burden, NIST will cease assigning its own CVSS scores to newly submitted CVEs. Instead, it will rely entirely on the severity score supplied by the submitting vendor or researcher. NIST argues that the submitter is best positioned to assess the exploitability and impact of their own finding, and that the agency’s resources are better spent on developing automated triage capabilities. NIST stressed that it will still validate extreme outliers (e.g., scores that appear implausibly low or high) but will not routinely recompute scores for every entry.
Building Automated, Sustainable Workflows
Recognizing that manual enrichment cannot keep pace with incoming volume, NIST announced a multi‑year initiative to develop automated enrichment pipelines. These will leverage machine‑learning models to extract description fields from vendor advisories, map CVSS scores from vendor‑provided vectors, and flag exploitable vulnerabilities based on threat‑intelligence feeds. The agency aims to have a prototype capable of processing > 80 % of new CVEs within 24 hours by FY 2028, with a long‑term goal of full automation.
NIST also highlighted plans to create a public API that allows organizations to submit enrichment requests directly, track their status, and receive automated updates when a CVE meets the enrichment criteria. The agency hopes that this self‑service model will reduce reliance on manual triage while still giving the community a path to request enrichment for particularly impactful findings.
Community Reaction
Reaction from the cybersecurity community has been mixed. Experts such as Trey Ford of Bugcrowd welcomed the clarification, noting that the vulnerability‑management community has long recognized that centralized triage cannot scale with the current volumetrics. “The signal that actually drives remediation priority has always come from real‑world exploitability, not database metadata,” Ford said, urging the industry to shift toward continuous, adversarial testing rather than periodic database updates.
Conversely, some researchers expressed concern that relying solely on submitter‑provided scores could allow low‑severity or poorly validated findings to slip through, especially if submitters lack rigorous scoring practices. Others warned that the new policy might inadvertently downgrade the visibility of niche but potentially high‑impact flaws in obscure libraries, particularly those not yet exploited in the wild.
Nevertheless, many welcomed NIST’s transparency about its capacity limits and the explicit roadmap toward automation. The agency’s pledge to respond to enrichment requests via email and to develop a public request‑tracking portal was seen as a step toward greater community involvement.
Looking Ahead
NIST framed the policy shift as a necessary step toward long‑term sustainability. By concentrating enrichment resources on vulnerabilities that are already known to be exploited, affect federal systems, or are deemed critical, the agency aims to preserve the NVD’s usefulness as a trusted source of actionable intelligence while it builds the automated infrastructure required to handle future growth.
The agency urged the vulnerability‑research community to assist by:
- Submitting CVEs with complete, accurate descriptions and CVSS scores.
- Promptly requesting enrichment for any CVE they believe meets the new criteria via the designated NIST‑email channel.
- Leveraging the forthcoming API to automate enrichment requests for bulk submissions.
In summary, the NVD will continue to serve as a public repository for all known CVEs, but the depth of information attached to each entry will now be risk‑based rather than exhaustive. This shift reflects the reality of an exponentially growing vulnerability landscape and signals a broader industry move toward decentralized, continuous validation of software security—augmented, where possible, by automated analysis and community‑driven enrichment.