Voices from the vulnerability management community have warned that lingering issues with the US National Vulnerability Database (NVD) could lead to a major security crisis in the supply chain.
A group of 50 cybersecurity experts signed an open letter on April 12 to U.S. Secretary of Commerce Gina Raimondo and several members of Congress.
The title of the letter is A cybersecurity crisis awaits: The need to restore and strengthen operations with a national vulnerability database.
In this document, the signatories urge Congress to investigate ongoing issues with NVD, assist the National Institute of Standards and Technology (NIST) in remediating vulnerability hardening, and support the National Institute of Standards and Technology (NIST) in NVD. We are asking you to help us modernize our programs.
NVD Consortium: NIST Response to Vulnerability Backlog
In early March, security researchers noticed a significant drop in vulnerability hardening data uploads to the NVD website. The decline began in mid-February.
Vulnerability entries (called Common Vulnerabilities and Exposures (CVE)) continued to be added to the database, but many were not fully analyzed.
This means that important metadata about CVEs, such as the corresponding Common Weaknesses and Exposures (CWE), Common Product Enumerators (CPE), and Severity Scores (CVSS), were not added to the database.
According to NIST's own data, NIST has analyzed only 4,398 of the 10,826 CVEs it has received so far this year.
The problem appears to be due to a lack of resources such as funding and human resources.
In late March, NIST launched an industry consortium to help operate and fund future NVD programs.
Prioritize short-term responses
Signatories of the open letter argued that resolving the current NVD backlog should be a priority.
Because NVD is the world's most comprehensive vulnerability database, many companies rely on it to deploy updates and patches.
If such issues are not resolved quickly, they can have a significant impact on security research communities and organizations around the world.
The authors suggested that once this is complete, NIST and the NVD consortium should focus on reorganizing vulnerability disclosure and management processes within the NVD program.
For now, the signatories are asking Congress to support NIST with three immediate actions:
- Investigate ongoing issues with NVD
- Ensure NIST has the resources it needs to immediately restore operations
- Laying the foundation for significant improvements in services
Restoring NVD operations: industry recommendations
To achieve these goals, the signatories proposed several recommendations, including:
- Implement the NVD temporary process Serves as a pass-through for CVE Numbering Authority (CNA) data without rescoring or duplicating the work of the CVE program, except in cases of obvious inaccuracies in the data provided by the CNA.
- Establish a plan with clear timelines and accountability to improve NVD processes and operations A public comment period will then open the plan to input from public and private stakeholders.
- Investigating NIST's lack of transparency regarding regression of NVD operations From February 15th to March 25th.
- Consideration of sustainable financing Provide trusted resources for NVD's daily operations without creating conflicts of interest.
- Treat NVD as critical infrastructure and ensure that the NVD program continues to operate in the event of a government shutdown or other disruption that could disrupt the critical services the NVD program provides.
- Keep NVD independent. Industry collaboration with NIST and NVD should be encouraged, but given its important role as a source of truth for the federal government, a single organization should own and operate her NVD.
The signatories of this open letter are individuals from across the security industry, including technology giants like Google, open source organizations like OpenSSF, and security vendors like Chainguard, VulnCheck, and Okta.
