NIST cuts down CVE analysis amid vulnerability overload
Summary
NIST is changing how it handles CVEs due to an overwhelming volume of submissions, leading to a significant backlog. The agency will now prioritize enriching CVEs in CISA's Known Exploited Vulnerabilities catalog and those related to federal government software and critical software.
IFF Assessment
This is bad news for defenders because a reduced focus on enriching less critical CVEs means a larger number of vulnerabilities will have less detailed information available, potentially delaying patching and increasing the attack surface.
Defender Context
Defenders should be aware that NIST's National Vulnerability Database (NVD) will have a reduced scope for detailed analysis of new CVEs. This means organizations will need to rely more heavily on other sources, such as CISA's KEV catalog and vendor advisories, to identify and prioritize critical vulnerabilities.