The National Vulnerability Database (NVD) team at the US National Institute of Standards and Technology (NIST) has recently made significant progress in overcoming internal challenges and stabilizing its operations. However, a new hurdle has emerged in the form of a surge in vulnerability reporting, leading to a backlog that threatens to overwhelm the team’s efforts.
Tanya Brewer, the NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, provided updates on the NVD’s latest developments during the VulnCon event in Raleigh, North Carolina. They announced improvements in vulnerability processing and outlined strategies to address the growing backlog, including increased automation and the exploration of AI-powered solutions.
Following a period of internal issues caused by the end of a contract in early 2024, the NVD team has now regained its momentum. A commercial contract extension with an outside consultancy helped bolster the team and resolve the backlog. Despite initial challenges with onboarding new staff, the team has achieved processing rates comparable to pre-2024 levels, with a significant uptick in CVE processing in 2025.
The NVD has decided to forgo plans for a consortium to support its operations, opting instead to engage with the vulnerability management community through informal channels. While efforts to strengthen the team have been successful, the vulnerability backlog continues to grow rapidly. The increase in CVE reporting and submissions has contributed to the backlog’s expansion, with a notable rise in CVE publications observed in recent years.
To address the backlog, the NVD has implemented several strategies, including marking older CVEs as ‘Deferred’ and prioritizing gap-filling approaches for post-2018 vulnerabilities. The team is also exploring AI-powered tools for automating data processing tasks, particularly focused on Linux kernel CVEs. Additionally, internal and external enhancements, such as an upgraded vulnerability console and API, aim to streamline operations and improve data quality.
Despite these efforts, some experts in the vulnerability management community have expressed frustration with the NVD’s lack of transparency and limited communication. Suggestions to diversify vulnerability data sources have been made to mitigate reliance on the NVD alone. While the NVD continues to address the backlog and enhance its operations, the need for collaboration and diversified data sources remains a key consideration for the future.
Overall, the NVD has made significant strides in revitalizing its operations and addressing challenges, but continued efforts and collaboration with the broader security community will be essential to sustain progress and ensure effective vulnerability management in the future.