The US National Institute of Standards and Technology (NIST) has finally taken action after more than 100 days of stagnation at the National Vulnerability Database, where the severity of vulnerability reports had not been properly validated. This issue caused a backlog in processing vulnerabilities, affecting the speed at which necessary software patches could be applied.
NIST announced on May 29 that a contract had been awarded to support future vulnerability processing, aiming to restore processing rates to previous levels within the next few months. The agency also collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) to reduce the backlog by the end of the US government’s fiscal year on September 30. Additionally, NIST is working on technology updates and process modifications to better handle the increasing number of vulnerabilities reported each year.
Matt Scholl, chief of the Computer Security Division at NIST’s Information Technology Lab, emphasized the importance of a collaborative approach involving both public and private sector participants to address the backlog effectively. He outlined plans to work with various entities within the cybersecurity community to update data specifications, transition to new standards, and enhance overall processes for vulnerability management.
The cause of the bottleneck that led to the processing halt earlier this year remains somewhat mysterious. NIST halted the review of new vulnerabilities in mid-February, attributing it to a combination of factors that created a challenging situation. The agency typically enhances vulnerability reports through additional information in the Common Vulnerabilities and Exposures (CVE) process, such as assigning identifiers and calculating impact metrics.
The scale of the problem faced by NIST has continued to grow exponentially over the years. After streamlining the process of assigning CVE identifiers in 2017, the number of vulnerabilities disclosed annually has surged. In 2016, fewer than 6,500 vulnerabilities were disclosed, but that number has steadily increased, with this year’s count expected to surpass 36,000. This surge is not only a challenge for defenders applying patches but also for threat-information providers attempting to analyze and interpret the overwhelming volume of vulnerabilities.
To address the backlog, NIST plans to collaborate with CISA and leverage its efforts like the CISA Vulnrichment project, which aims to enrich vulnerability information with metadata from the Stakeholder-Specific Vulnerability Categorization (SSVC) analysis process. By combining forces, government agencies hope to find a sustainable solution to the processing challenges.
Despite the recent efforts and collaboration, concerns remain about whether the current measures will be sufficient in the long run. Industry professionals have urged Congress to prioritize the NVD as a critical infrastructure and essential service, suggesting the establishment of a nonprofit foundation through a public-private partnership to ensure adequate resources and continuity of operations.
As the cybersecurity community continues to grapple with the ever-increasing volume of vulnerabilities, the importance of investing in and prioritizing vulnerability information cannot be understated. While short-term solutions are being implemented, the sustainability and longevity of these efforts remain a point of concern for stakeholders like Josh Bressers of Anchore, who emphasizes the thankless and challenging nature of the work involved in managing vulnerabilities effectively.