Cybersecurity experts sound alarm over US National Vulnerability Database
The experts warn of potential supply chain security crisis as issues persist with the US National Vulnerability Database (NVD), prompting a coalition’s call to action for swift intervention and reform.
The cybersecurity community is sounding the alarm over persistent challenges facing the US National Vulnerability Database (NVD), raising concerns about a potential supply chain security crisis.
A coalition comprising 50 cybersecurity experts has penned an open letter to US Secretary of Commerce Gina Raimondo and select members of Congress. Titled ‘A Call to Action: Addressing Critical Issues in the National Vulnerability Database,’ the letter urges swift intervention to investigate and rectify ongoing issues plaguing the NVD.
The concerns first arose in early March when a noticeable decline in vulnerability enrichment data uploads was observed on the NVD platform, starting around mid-February. While new vulnerability entries, known as CVEs, continued to be logged, many lacked comprehensive analysis. This led to crucial metadata such as Common Weaknesses and Exposures (CWEs) and criticality scores (CVSS) being omitted from the database. At the same time, NIST’s own figures reveal that only a fraction of received CVEs have been analysed thus far this year.
In response to mounting concerns, NIST initiated an industry consortium in late March to solicit support for the NVD program’s sustained operation. However, stakeholders emphasise the urgent need to address the existing backlog, given the NVD’s pivotal role as a primary resource for vulnerability information globally.
The letter advocates for several measures: first, resolving the current NVD backlog, and second, undertaking a comprehensive overhaul of vulnerability disclosure and management processes within the NVD program. To this end, Congress is urged to intervene by investigating ongoing issues, ensuring NIST has the necessary resources for immediate restoration, and laying the groundwork for long-term improvements.
The signatories propose practical recommendations to achieve these goals, including interim measures to streamline data relay, establishing transparent improvement plans with stakeholder input, and securing sustained funding for NVD operations.
The signatories represent a diverse array of stakeholders, including open-source organizations and leading security vendors. They underscore the critical importance of addressing NVD issues promptly to safeguard global cybersecurity interests.