The National Institute of Standards and Technologies of the USA (NIST) is currently working on improving its National Vulnerability Database (NVD), which has raised concerns among organizations relying on this database for system protection.
The issue arose in mid-February 2024 when researchers noticed a decrease in the details of critical threats being posted on the NVD platform. Typically, NVD includes essential metadata about disclosed vulnerabilities such as general descriptions, lists of affected software, and assessments of the level of risk.
However, since February, over 2500 vulnerabilities have been added to the database without comprehensive descriptions, leaving IT specialists to independently determine the severity and mitigation measures needed.
This situation has sparked dissatisfaction within the industry, prompting NIST to address the issue. The institute acknowledged possible “delays in analytical work” and mentioned the formation of a consortium to address the shortcomings in NVD and enhance analytical tools.
Nevertheless, the announcement has not alleviated concerns, with some experts seeking more information about the consortium’s structure and objectives. There are also doubts about the necessity of radical changes, considering the effectiveness of the current system that has been in place for many years, which NIST has not clarified further.
One speculation suggests that NIST might replace the CPE (Common Product Enumerators) identifiers with SWID (Software Identification Tags) to describe software products in more detail. CPE assigns unique identifiers with specific fields, while SWID tags provide additional information such as licenses, patches, files, and cryptographic hashes beyond just the identifier.
However, these are only assumptions at this point, and further updates from NIST are awaited.