The chilly air-conditioned Scottsdale ballroom hardly stirred while Harold Booth, program manager for NIST’s National Vulnerability Database (NVD), discussed a major operational change — his organization is scaling back its operations and will prioritize which CVEs are chosen for enrichment, rather than taking them all on.
It was an admission that the scope of the NVD had grown beyond the capacity of the National Institute of Standards and Technology (NIST) to administer and didn’t surprise anyone in the VulnCon26 audience.
This particular collection of insiders and industry veterans is well aware of how difficult it has been for NIST to keep up with a mounting backlog of CVEs, particularly after NIST lost 12% of its federal funding in 2024, prompting a talent exodus last year. Likewise, cyber practitioners across the country have been watching NIST and the CVE program struggle and have been bracing for cutbacks in services.
Booth explains why NIST decided to prioritize certain CVEs for enrichment data, which consists of adding information about impacted products, attack vectors, and other relevant details to the CVE file.
“Our prioritization criteria are designed to meet most users’ needs by allowing us to focus on CVEs with the greatest potential for widespread impact,” he tells Dark Reading. “Organizations will still have access to all CVEs in the NVD.” CVSS scores will still be available from either the CVE Numbering Authority (CNA), Cybersecurity and Infrastructure Security Agency (CISA), or the NVD.
In addition, he adds, users can still request enrichment or scoring for a specific CVE.
“We recognize that some of these changes will require organizations downstream to adapt,” Booth says. “That is why we are also working to develop the automated systems and workflow enhancements that will allow us to better meet the needs of the cybersecurity community long-term.”
Practitioners and cybersecurity leaders across the country have also been watching NIST, and the CVE program more broadly, struggle to keep up.
“Staffing cuts and proliferation of vulnerabilities made this inevitable,” according to Jessica Sica, chief information security officer (CISO) at Weave, a telecom software vendor. “And I think a lot of security practitioners were just waiting for this other shoe to drop. I do think some of the changes are good. Why worry about a vulnerability that can’t be exploited or is low in severity? Much like companies need to prioritize risk and where to focus, NIST shifting to a risk prioritization models is not a bad thing.”
But, Sica argues, the loss of NIST enrichment data is a big deal for cybersecurity practitioners.
“The bottom line is some stuff will get missed,” Sica says. “A lot of security vendors rely on the NVD as their source of information and what companies need to patch. It’s been talked about for the past year that the private sector or perhaps open source needs to step up and provide something because it’s clear we cannot currently rely on NIST as a comprehensive and reliable source of vulnerability information.”
The CVE Enrichment Problem
Broadly, MITRE and a group of designated CVE Numbering Authorities, made up of trained vendors, researchers, bug bounty providers, and consortium organizations, are responsible for collecting reports of vulnerabilities, assigning CVE ID numbers, and creating a record with the available information. Currently, there are 504 CNAs across 42 countries, with one member declared with no country affiliation. In 2025, this group created around 40,000 CVE records, and according to CISA’s chief of vulnerability response, Lindsey Cerovnik, it’s on track to generate as many as 60,000 by the end of 2026.
In addition, enrichment meta data is deeply useful for defenders trying to track where vulnerabilities could lurk in their systems, but it’s also labor intensive to gather and report. Enrichment includes a review of the reference materials provided along with the CVE, as well as a manual Internet search for publicly available details on the exploit. The sheer volume of CVEs being created is simply too large to handle each one by hand any longer.
Making the enrichment process even more onerous is the flimsy amount of information currently required to file a CVE. Cernovik explained she is looking to require more information at the time a CVE is filed and help standardize the process. Another speaker, MITRE’s CVE/CWE project leader, Alec Summers, noted all that’s required for a CVE is an ID, a brief description, and a reference to the product impacted. That bare bones data leaves a lot of work for groups like those at NIST working on the NVD to fill out. But those changes are still just under consideration and not yet on the horizon to be implemented, Cernovik explained.
Former CISA technical adviser Bob Lord agrees that would be a helpful step.
“Every element NVD adds after a CNA issues a CVE record (application name, class of coding error, exploitability metrics, etc.) can and should be provided by the CNA upstream, not appended downstream,” Lord says. “CVE records should be complete, accurate, and timely at the time of issuance.”
Lord is a part of the CVE Consumer Working Group along with Dick Brooks, co-founder and lead software engineer at Business Cyber Guardian, and adds the delayed publication of CVE details by software vendors also bogs down the process.
“Many software manufacturers reserve CVEs and publish security advisories but fail to update the corresponding CVE records within the required 24-hour period,” Brooks says. “This has become a growing problem, particularly with Google, which often publishes advisories and then leaves the CVE records incomplete for weeks. While short delays of a day or two may be tolerable, extended gaps undermine trust in CVE timeliness and disrupt vulnerability research workflows. In contrast, Apple generally stays within the 24– [to] 48-hour guideline, demonstrating that timely publication is feasible.”
How Cyber Teams Can Adapt to Less NVD Data
In the meantime, cybersecurity teams will need to move to make up for the loss of enrichment data, according to Shane Fry, chief technology officer at RunSafe Security.
“Anthropic’s Mythos highlights why NIST is making this move in the first place,” Fry says. “They have already seen a surge in CVE submissions over the past year and have not been able to keep up. Mythos and other tools for AI-assisted vulnerability will only add to the volume of vulnerabilities disclosed. It’s a problem the industry has been aware of for some time.”
So without the ability to keep up with the sheer volume of CVEs cyber teams need to pivot, Fry adds.
“The way forward will have to emphasize building defenses into software itself to prevent the exploit of bugs and zero-days even before patches are available or the vulnerability is disclosed,” he advises.
Brooks says cyber teams are going to have to get more proactive about chasing down vulnerability information.
“CVEs are of limited value. It’s not always easy to identify the products in an end user environment that may be affected by a CVE,” Brooks says. “This requires end users to reach out to the product producer for a definitive answer to the question, ‘Is my product affected?'”
Industry expert Adam Shostack recommends that in the wake of the NIST announcement, it’s up to organizations to speed up patching — a lot.
“I don’t know how any system — CVE, a successor, or a corporate system — stays up to date if they require human analysis as part of their decisions,” Shostack says. “For many companies, the unavoidable conclusion is they probably need to grease the patch path and then manage down the risk of malware in that path.”
Shostack in February wrote a detailed description of how to accomplish this, along with guidance to “really ratchet down the blast zones” that could be impacted by potential vulnerabilities.
Moving forward, it might be useful for the cybersecurity community to add vulnerability reporting standards into procurement language, according to Brooks, who is working on a similar initiative with the US energy sector. He hopes it could serve as a model for cybersecurity as well.
“The US energy industry is exploring new procurement language to improve the timeliness of product vulnerability reporting as soon as a product vulnerability is confirmed and before a CVE is publicly released,” Brooks says.
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
