NIST to stop rating non-priority flaws due to volume increase
Summary
NIST will cease rating the severity of non-priority software vulnerabilities due to an overwhelming increase in submission volume. This change aims to streamline their process and focus resources on critical security flaws. The decision means fewer vulnerabilities will receive official severity scores from NIST.
IFF Assessment
This is bad news for defenders because it means fewer vulnerabilities will have official severity ratings, making it harder to prioritize patching and risk assessment.
Defender Context
Defenders will need to rely more heavily on other methods to assess vulnerability risk, such as vendor advisories, threat intelligence feeds, and internal asset criticality. This shift emphasizes the need for robust internal vulnerability management programs that are not solely dependent on external scoring systems.