• CramHacks
  • Posts
  • Why I Signed: An Open Letter to Congress on the National Vulnerability Database

Why I Signed: An Open Letter to Congress on the National Vulnerability Database

Neglecting the National Vulnerability Database: A Flaw We Can't Afford

Author

Kyle Kelly
April 15, 2024

On Friday, April 12th, 2024, security researchers and practitioners published an open letter to the U.S. Congress and Secretary of Commerce urging action regarding NIST’s ability to maintain the National Vulnerability Database (NVD) effectively. Specifically:

  • Immediately restore NVD operations and minimize tool disruptions.

  • Create a transparent plan to enhance NVD and address backlogs.

  • Probe NIST’s opaque communication about NVD issues in early 2024.

  • Ensure sustained funding for reliable NVD operations.

  • Treat NVD as essential and make it immune to funding cuts.

  • Maintain NVD’s independence with clear ownership and operation.

While complaining on social media is my forte, Chainguard CEO Dan Lorenc organized this open letter in hopes of having our concerns heard. It was incredible to see the involvement of an ad hoc group, and ultimately, I’m proud to be one of the 55 signatures.

So what’s the big deal?

On February 13th, 2024, NIST noted on the NVD website that we should expect temporary delays in posting CVE analysis. Following this, researchers and practitioners took to social media to discuss the ever-increasing concerns about what this might mean for vulnerability management. Keep in mind that much of the world’s security tooling relies on ingesting data from NVD.

It’s important to distinguish that NIST and the NVD differ from the CVE Program, which Mitre owns. Therefore, CVEs are still being reviewed and published by CVE Numbering Authorities (CNAs). However, many tools rely on data enrichment produced by NIST via the NVD. You can read more about NIST’s review here.

Well, it’s been over two months since NIST’s original notice. The seas haven’t risen, the moon isn’t gone, and we survived an eclipse! Surely these delays aren’t causing any problems.

I briefly touched on the impact below, but I’d recommend Chris Hughe’s blog post if you’re looking for a more detailed recap.

If you’re reading this, I hope I don’t have to explain why “it hasn’t been an issue yet” is a horrible response in the cybersecurity space 😆.

NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.

Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

We will provide more information as these plans develop. NIST is committed to its continued support and management of the NVD.

For questions and concerns, you can contact [email protected].

Created February 13, 2024 , Updated April 2, 2024

In a recent analysis by VulnCheck’s Patrick Garrity, it’s been highlighted that although the National Vulnerability Database (NVD) has received over 10,000 CVEs this year, only 4,355 have been processed, with a mere 245 handled since March 1st. This stark discrepancy underscores a significant lag in handling new vulnerabilities, which could compromise security management efforts.

Moreover, despite receiving no Modified CVEs this year, the NVD has revisited and re-analyzed 1,225 CVEs, which suggests a misallocation of resources. I’d argue that the NVD should reconsider its approach, focusing on new vulnerabilities rather than spending valuable resources on re-evaluating CVEs associated with software that is likely to be end-of-life (EOL). This would streamline operations and enhance the NVD’s responsiveness to emerging threats.

How does this compare to NIST’s activity in 2023? Well, it’s not looking good. Jay Jacobs of Cyentia Institute analyzes trend changes in the NVD, and the following graph caught my eye. We’re supposed to get better, not worse! Since the number of CVE submissions continues to increase yearly, doing as well as last year is still problematic.

Why are we guessing?

The most glaring issue with the National Vulnerability Database (NVD) isn’t just the backlog or the delays—it’s NIST’s stark lack of transparency. There’s a frustrating silence on the reasons behind these delays and an apparent reluctance to engage meaningfully with the cybersecurity community. This absence of dialogue and clarity leaves many of us guessing about the state of a critical national cybersecurity asset.

What’s more, the situation reveals a missed opportunity for collaboration. The cybersecurity community has expertise and resources that could alleviate some of the NVD’s current challenges. Many within our ranks possess advanced tooling and methodologies that could streamline the CVE review and enrichment processes, transforming an arduous task into a more manageable one. This isn’t an overwhelmingly complex problem—it’s a matter of harnessing available technology and know-how.

The ongoing issues at NVD highlight the need for a more open approach, where NIST actively seeks support and input from external cybersecurity professionals. By fostering a collaborative environment, we cannot only speed up the processing of vulnerabilities but also ensure that the NVD remains a robust and reliable resource for everyone who depends on it.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! 💌

If you think someone could benefit from this, don’t hesitate to forward.

See you next Monday!
-Kyle