NIST gives up enriching most CVEs

Risky Bulletin Newsletter

April 17, 2026

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via* this RSS feed*

. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going

here

*.*The US National Institute of Standards and Technology announced on Wednesday a new policy regarding the US National Vulnerability Database, which the agency has been struggling to keep updated with details for every new vulnerability added to the system.

Going forward, NIST says its staff will only add dataâin a process called enrichmentâonly for important vulnerabilities.

This will include three types of security flaws, which the agency says are critical to the safe operation of US government networks and its private sector.

• CVE entries for vulnerabilities listed in CISA KEV, a database of actively exploited bugs; - CVEs in software known to be used by US federal agencies; - and CVEs in what the agency classifies as " critical software."

This latter category sounds restrictive, but is in fact quite broad and includes all the major software you'd expect and want to have properly enriched CVEs for. Stuff like operating systems, web browsers, security software, firewalls, backup software, and VPNs; they are all on the list [* PDF*], which you can also see below this post.

NIST has been struggling to enrich CVEs for more than two years due to an explosion in bug discoveries and mounting costs, also made worse by the Trump administration's recent cuts to various DHS and CISA budgets.

Its problems started in early 2024, when a handful of 2,100+ CVE entries that were left without enriched metadata turned into almost 30,000 by the end of the year. Despite efforts to catch up and add details to all CVEs published in the NVD, the agency is still tens of thousands of bugs behind.

The NIST announcement is a capitulation, with the agency admitting it won't ever catch up due to its current budgetary circumstances.

It is a smart decision. Even though this sounds as a blasphemy for the infosec people in the vulnerability management space, the only way forward for NIST was to focus on the important bugs only and giving up on all the CVE chaff.

Each year, there are tens of thousands of vulnerabilities being reported in all kinds of no-name software you have never heard of, in all the tiny libraries that barely have 100 stars on GitHub, and all the IoT gear and their firmware components.

The announcement is not what the vulnerability management companies wanted, since many of them relied on packaging the NVD output into their own vulnerability scanners, dashboards, and reporting tools.

With some of that output set to disappear for good, they will have to find other places to get the data, or enrich it themselves. Aikido Security's Sooraj Shah has an excellent take on what this means for the industry

"The TL;DR is that there is no single source of truth anymore (if there ever really was). NVD is deprioritizing, EUVD is nascent but may go the same way, and other CVE programs, such as MITRE, have had funding scares. Being reliant on one database as a team or for a security tool means you have less coverage and visibility. That era is officially over."

The cybersecurity industry was expecting this to happen. At a January quarterly meeting, NIST officials talked about "rethinking" the agency's role in analyzing software vulnerabilities, and hinted at a plan to only triage the important bugs.

NIST says that besides focusing on enriching only the big bugs, it will also stop providing its own CVSS severity scores for NVD entries, and will now show the severity score initially assigned by the organization that issued the CVE.

This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.

This has been happening for decades, and if you read enough vulnerability write-ups, you'll often find security researchers accusing companies of blatantly downgrading CVSS scores and mischaracterizing their own bugs to downplay the bug's impact, over and over again.

More than 48,000 vulnerabilities received a CVE number last year and NIST is giving up right before experts anticipate this number will explode with the broad adoption of AI cybersecurity agents designed to help improve vulnerability discovery.

The integration of AI vulnerability scanners is likely to yield a few major bugs, but they're also expected to produce mountains of CVE chaff that no human team at NIST would have been able to keep up with anyway.

NIST's new enrichment policy entered into effect this week, on Wednesday, April 15.