While the big news in the vulnerability management world last week was the near death of the CVE Program, this temporarily overshadowed the ongoing saga of the National Vulnerability Database (NVD). Since February 12, 2024, the NVD has stopped reliably performing one of its most important functions: adding CPE names (machine readable software identifiers) to new CVE (vulnerability) records. For a discussion of why having a CPE name with every CVE Record is so important, see this post.
At the end of December, in the post I just linked, I
estimated that the NVD’s backlog of CVE records without CPE names was around
22,000, or 55% of the approximately 40,000 new CVE Records created in
2024. In my most recent post on the NVD’s problems written on March 19, I
admitted I couldn’t estimate the backlog, although I noted that the “vulnerability
historian” Brian Martin thought the NVD had completely stopped creating new CPE
names altogether.
Brian has kept following the NVD (which he says has “returned”).
Last week, he put up this
post on LinkedIn. It illustrates how the NVD has been doing its best to
disguise the huge backlog of “unenriched” CVE Records (i.e., those that have
not had CPE names and CVSS scores added to them – both of which are NVD
functions). Without going into details, Brian said the backlog of unenriched
CVEs (since early 2024) was now 33,699. So, far from making progress getting
rid of the backlog in 2025, the NVD has dug the hole deeper.
Of course, the backlog number would be more meaningful if it’s
expressed as a percentage of new CVE Records published since early 2024. Since
the full year 2024 number of new records was about 40,000 and we recently
finished the first quarter of 2025, I estimate there have been 50,000 new CVEs published
since early 2024. This means that the 33,699 backlog constitutes 67% of the
new CVE Records published since the NVD started having their problems last
February 12.
In other words, the backlog as a percentage of new CVE
records has grown by 12%. This obviously discredits the NVD’s preferred excuse
for their problems: The volume of new CVE records has jumped and they’re
struggling to keep up with it. That might explain the growth in the backlog
itself, but it doesn’t explain a significant increase (in just 3 months!) in
the percentage of CVE records that are unenriched (i.e., are in the backlog).
So what’s the NVD’s plan for finally eliminating this
backlog? The last time they said anything about this was March 19, when they
commented on their website:
We are currently processing incoming CVEs at roughly the rate
we had sustained prior to the processing slowdown in spring and early summer of
2024. However, CVE submissions increased 32 percent in 2024, and that prior
processing rate is no longer sufficient to keep up with incoming submissions.
As a result, the backlog is still growing.
We anticipate that the rate of submissions will continue to
increase in 2025. The fact that vulnerabilities are increasing means that the
NVD is more important than ever in protecting our nation’s infrastructure.
However, it also points to increasing challenges ahead.
To address these challenges, we are working to increase
efficiency by improving our internal processes, and we are exploring the use of
machine learning to automate certain processing tasks.
There’s one phrase in this
statement that I strongly agree with: “the NVD is more important than
ever in protecting our nation’s infrastructure.” That’s why this whole debacle
is so appalling.
Don’t forget to donate! To
produce these blog posts, I rely on support from people like you. If you
appreciate my posts, please make that known by donating here. Any amount is welcome!
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment