National Vulnerability Database Updates: How SecurityScorecard’s CVEDetails can help

The National Vulnerability Database (NVD), the world’s most widely used vulnerability data source, has been having some problems recently, causing uncertainty and anxiety for everyone dealing with security vulnerabilities. Many organizations, including cybersecurity vendors, rely on CVE data provided by NVD. As a government organization operated by the U.S. National Institute of Technology (NIST), NVD has been a trusted source of information, providing an invaluable public service since the early 2000’s. 

Normally NVD analysts manually review and curate CVE data, especially product and version information and, in turn, NVD provides reliable and accurate data. But users have noticed that things have shifted lately. So what happened? NVD has not been providing the same level of detail for most CVEs since January and it does not seem to be doing manual analysis for most CVEs either.

CVEdetails.com also consumes CVE data provided by NVD (though it’s not SecurityScorecard’s only data source), and we first noticed problems in early January, when some data was unusually delayed. Then in February, NVD posted a notice on its website, acknowledging the problems and mentioning that it will be working on setting up a new consortium to improve the situation.

What might be going on at NVD

Since mid-February, many posts were shared on social media, especially on LinkedIn, speculating on what might have happened with NVD, as well as what the future would hold for it. Here are a few possible reasons for the issue at NVD:

The number of new CVEs is increasing every day

Unfortunately, manual analysis is required for most CVEs, as they are initially published with minimal or poorly structured information. NVD analysts would be having a hard time keeping up with new CVEs.

New APIs

NVD switched to new APIs last year and tried to discontinue JSON dumps, which most data consumers were relying on. Asking thousands of different consumers to switch to using APIs was probably not a good idea. People who would just download a JSON dump and process it on their side were asked to query NVD APIs. Developing and maintaining such heavily used APIs would  have created a significant workload and cost for the NVD (which could have been allocated to improving data processing and quality). Yet it is not unusual for NVD APIs to return 5xx responses unfortunately.

NIST published an update describing its plans for the future and we also believe that NVD will continue to be available. But we will have to wait and see how much it can succeed in resolving the problems or how long it will take to fix them.

A comprehensive alternative to NVD

SecurityScorecard’s vulnerability intelligence solution through CVEDetails.com offers a comprehensive alternative. We provide affected product and version information for most CVEs even if they are not provided by NVD. We do this by cross referencing multiple sites, using AI to extract additional insights, and conducting manual reviews of CVEs to ensure organizations are armed with the CVE data needed to make decisions. 

CVEDetails.com users can view CVE details including vulnerable product and version information for free as usual. And we will continue to provide this service to the public. CVEDetails.com subscribers will also have access to far more detailed information and much more than just CVEs. 

Next steps for CVEDetails

This is an ongoing process that we will continue to address and refine. We will be focusing on issues that matter to a wider audience, (i.e we will not be providing analysis data for issues affecting software from a random Github repository practically no one is interested in). We will also be adding new and improved filtering options to help users avoid noise and focus on issues that matter.

We will be providing more details and insights in later blog posts. But in the meantime, please feel free to reach out if you have any questions, or if you would like to schedule a demo to explore CVEDetails.com.