The US National Institute of Standards and Technology (NIST) has scaled back its enrichment of CVE data in the National Vulnerability Database (NVD) — a resource that underpins vulnerability management worldwide, including here in New Zealand. For local security teams who rely on NVD data to triage and prioritise patching, this change creates real operational gaps that need to be addressed.

What This Means

NIST's NVD has historically been the authoritative source of enriched vulnerability data — adding CVSS scores, CPE identifiers, and contextual metadata to raw CVE entries published by MITRE. This enrichment is what makes vulnerability scanners, SIEMs, and patch management platforms work effectively. With NIST reducing that enrichment work, many CVEs now sit in the database without the detail security tools need to match them to affected systems.

The gap is being partially filled by industry and ad hoc coalitions. Groups like the CVE Consortium, commercial vendors, and open-source projects are stepping in to enrich vulnerability data independently. However, this fragmentation means organisations may need to pull from multiple feeds to get a complete picture, and the consistency and quality that a single authoritative source provided is no longer guaranteed.

For cyber teams, the immediate impact is operational. Automated tooling that depends on NVD metadata may miss vulnerabilities or misclassify their severity. Analysts are spending more time manually researching CVEs, and risk-based prioritisation becomes harder when standardised scoring and product mapping are incomplete or delayed.

Longer term, this shift is prompting a rethink of how the global vulnerability ecosystem should be funded and governed. Reliance on a single US government agency was always a structural risk — one that NZ organisations, along with the rest of the world, are now feeling directly.

Key Takeaways

  • NIST has reduced its enrichment of CVE data in the NVD, leaving many entries without CVSS scores or product identifiers.
  • Vulnerability scanners and patch management tools that depend on NVD metadata may produce incomplete results.
  • Industry coalitions and commercial providers are stepping in, but the ecosystem is now more fragmented.
  • Manual triage effort has increased for security analysts trying to assess real-world risk.
  • The situation highlights the risk of relying on a single authoritative vulnerability data source.
  • Alternative feeds (CISA KEV, vendor advisories, commercial threat intel) are becoming more important.

What NZ Businesses Should Do

  1. Audit your vulnerability data sources. Check whether your scanners, SIEM, or patch tools rely solely on NVD enrichment. Ask vendors how they're handling the NIST cutback and what alternative sources they're integrating.
  2. Supplement NVD with additional feeds. Incorporate CISA's Known Exploited Vulnerabilities (KEV) catalogue, vendor security advisories (Microsoft, Cisco, Fortinet, etc.), and sources like GitHub Security Advisories or the EPSS exploit prediction feed.
  3. Prioritise based on exploitation, not just CVSS. With CVSS scoring lagging, lean more heavily on evidence of active exploitation and asset criticality when deciding what to patch first.
  4. Review your SLAs and processes. If your patching SLAs are tied to CVSS severity from NVD, update them to account for delayed or missing scores. Build in manual review steps for high-risk assets.
  5. Engage with CERT NZ. Stay subscribed to CERT NZ advisories and sector-specific ISACs for locally relevant vulnerability context that isn't dependent on NVD timeliness.

Source: Read the full article on Dark Reading