The National Vulnerability Database (NVD) team, under the US National Institute of Standards and Technology (NIST), has successfully stabilized after a tumultuous year filled with internal challenges and a mounting vulnerability backlog. However, they are now facing a new hurdle as a surge in vulnerability reporting has caused their backlog to skyrocket, potentially overtaking their recent progress.
Tanya Brewer, the NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, provided updates on the NVD’s current status at VulnCon in Raleigh, North Carolina. They highlighted the team’s efforts to streamline vulnerability processing by implementing new strategies, such as automating data analysis tasks and exploring the use of AI-powered methods.
Following a period of internal disruptions due to a contract ending in early 2024, the NVD team responsible for adding and enriching vulnerabilities (CVEs) has regained momentum. With the help of an extended commercial contract and a newly onboarded team, the CVE processing rate has improved significantly, reaching pre-2024 levels by August 2024. The team has continued to enhance their processing capabilities, processing around 3000 CVEs per month in 2025.
Despite these positive developments, the vulnerability backlog continues to grow rapidly, reaching 25,000 unprocessed CVEs in March 2025. The influx of CVE submissions, which increased by 32% in 2024, has contributed to this backlog expansion. Efforts to analyze more CVEs each month have not been sufficient to keep up with the incoming submissions, resulting in a continuous backlog growth.
To address the backlog challenges, the NVD has implemented several strategies. They have deferred the enrichment of pre-2018 CVEs to focus on more recent entries and introduced a gap-filling approach for post-2018 CVEs. The team is also exploring AI-powered tools for automating CPE data processing and is working on automating the collection and processing of Linux kernel CVEs.
Furthermore, the NVD team has made enhancements to their internal systems, search engine, and API, while also updating the NIST Vulnerability Data Ontology (Vulntology) to improve vulnerability data management. Despite these efforts, some members of the vulnerability community have expressed concerns about the NVD’s lack of transparency and infrequent public communication.
Looking ahead, experts in the vulnerability community have called for the diversification of CVE data sources to mitigate reliance solely on the NVD. Suggestions include exploring other platforms such as CVE.org, vendor advisories, CISA KEV, OSV.dev, and ExploitDB. The NVD team remains committed to engaging with the community and addressing concerns, striving to overcome the challenges posed by the growing vulnerability backlog.