US Edition
NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities
The agency will focus on flaws with the greatest systemic risk and stop separate severity scoring for submitter-rated CVEs.
- On Wednesday, The National Institute of Standards and Technology announced it will narrow priorities for its National Vulnerability Database, focusing detailed analysis only on vulnerabilities posing the greatest systemic risk.
- The rise of AI-powered vulnerability-detection tools overwhelmed the agency, which faced a 263% increase in submissions between 2020 and 2025, creating a massive backlog.
- NIST will prioritize CVEs appearing in the Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, used in federal government software, or defined as "critical software" under a Biden Executive Order.
- Vulnerabilities not meeting criteria remain listed in the NVD but will not receive detailed "enrichment," while NIST will stop generating separate CVSS scores for CVEs already assessed by submitting organizations.
- Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told CyberScoop the agency was "set up for failure under their previous system," while NIST aims to stabilize the program through automated systems.
11 Articles
11 Articles
CyberScoopcybernoz.comNIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities
The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database. NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Inf…
The US National Institute of Standards and Technology (NIST) is unable to keep pace with the flood of new vulnerabilities. From now on, only critical and actively exploited vulnerabilities (CVEs) are being enriched in detail. The central pillar of the global vulnerability assessment is shaken under one major burden. The National Institute of Standards and Technology (NIST) has officially announced far-reaching changes in the handling of cybersec…
NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not
NIST cuts down CVE analysis amid vulnerability overload
Overwhelmed by an escalating volume of security flaws, the National Institute of Standards and Technology (NIST) has announced significant changes to how it handles cybersecurity vulnerabilities and exposures (CVEs). Rather than commit to providing enrichment for all entries in its National Vulnerability Database (NVD), the agency will focus on just the most critical CVEs, which will “allow us to stabilize the program while we develop the automa…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
