October 2, 2024 at 08:36AM
NIST’s progress in addressing its backlog of security vulnerabilities fell short of its goal, with 18,358 CVEs still awaiting analysis as of September 21. Despite improvements, the enrichment process remains behind schedule, impacting organizations relying on NVD data. NIST’s efforts to expedite processing and clear the backlog continue, affecting cybersecurity landscape and open-source community projects.
Based on the meeting notes:
– NIST has made some progress in clearing its backlog of security vulnerability reports to process, but it’s not quite on target as hoped.
– NIST missed its self-imposed September 30 deadline to bring the speed at which its National Vulnerability Database (NVD) processes new flaws back to its pre-February rate.
– Patrick Garrity of VulnCheck reviewed CVE-labeled bugs successfully analyzed by NVD and reported “mixed” results.
– As of September 21, NVD still has 18,358 CVEs (72.4 percent of new reported vulnerabilities) that need to be analyzed, which has slightly dropped to 17,873.
– Jason Soroko of Sectigo highlighted that the backlog adds risk to the cybersecurity landscape.
– NIST hired an outside consultancy to help improve bug processing, resulting in some improvement over previous numbers, but a significant backlog remains.
– NIST’s backlog is causing organizations to lose visibility into assets and hurting security processes and open source community projects.
– CISA’s Vulnrichment project is helping with independent CVSS severity scores and other data points for CVE-tagged bugs, but the NVD slowdown is still affecting security processes worldwide.
It’s evident that NIST’s backlog of unanalyzed CVEs is causing widespread concerns and impacting organizations’ ability to prioritize and mitigate vulnerabilities. There is a need for NIST to expedite the analysis and enrichment process within the NVD to prevent further risk to cybersecurity.