3 months without updates is a great opportunity for cybercriminals.
The world's largest vulnerability database, NVD, managed by the US National Institute of Standards and Technology (NIST), recently experienced a major outage that resulted in a significant increase in the number of unpublished vulnerabilities.
Since mid-February 2024, problems with processing new data began to occur in the database, and starting from May 9, the service completely stopped showing new vulnerabilities, which caused concern among cybersecurity researchers.
All involved specialists from the public and private sectors are doing their best to add to the database an extensive backlog accumulated over three months, and fill in the gaps where possible.
Since February 12 of this year, NIST has been able to analyze and add only 4,524 of the 14,286 vulnerabilities to its database. All this negatively affects the awareness of security teams and creates new opportunities for attackers.
At a recent RSA conference, Emmanuel Chawoya, CEO of RiskHorizon.ai, stated that the raw vulnerabilities are already actively exploited. Many companies depend on NVD for software updates and fixes, so stopping publications has become a major problem.
Employees from various companies and government agencies confirmed that new vulnerabilities have not been added to the database via the API since May 9. A NIST representative explained that the problems were caused by the transition to the new CVE — JSON data format. Processing of vulnerabilities did not stop, but public publications were suspended for the system update, which ended only on May 14.
In March, Tanya Brewer, NVD program manager, announced the creation of a consortium to solve the problems, but specific details remain unknown. At this time, private companies such as RiskHorizon.ai We have launched our own platform called "NVD Backlog Tracker" to track raw vulnerabilities.
Company RiskHorizon.ai It stated that it covers 85% of raw vulnerabilities, providing data on their criticality and exploitation activity, but access to the platform is subject to a fee.
Other companies, such as Trend Micro and VulnCheck, are also actively publishing new vulnerabilities, offering an alternative to NVD.
On May 8, the US Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the Vulnerability program to add metadata to vulnerabilities. MITRE, which manages the CVE program, also approved new rules for organizations that assign CVEs.
While current measures are helping to reduce the backlog in vulnerability analysis, the CEO said: RiskHorizon.ai he believes that long-term solutions are needed. He suggests automating the process of vulnerability disclosure, which, in his opinion, will make it possible to deal with the problem more effectively.
The world's largest vulnerability database, NVD, managed by the US National Institute of Standards and Technology (NIST), recently experienced a major outage that resulted in a significant increase in the number of unpublished vulnerabilities.
Since mid-February 2024, problems with processing new data began to occur in the database, and starting from May 9, the service completely stopped showing new vulnerabilities, which caused concern among cybersecurity researchers.
All involved specialists from the public and private sectors are doing their best to add to the database an extensive backlog accumulated over three months, and fill in the gaps where possible.
Since February 12 of this year, NIST has been able to analyze and add only 4,524 of the 14,286 vulnerabilities to its database. All this negatively affects the awareness of security teams and creates new opportunities for attackers.
At a recent RSA conference, Emmanuel Chawoya, CEO of RiskHorizon.ai, stated that the raw vulnerabilities are already actively exploited. Many companies depend on NVD for software updates and fixes, so stopping publications has become a major problem.
Employees from various companies and government agencies confirmed that new vulnerabilities have not been added to the database via the API since May 9. A NIST representative explained that the problems were caused by the transition to the new CVE — JSON data format. Processing of vulnerabilities did not stop, but public publications were suspended for the system update, which ended only on May 14.
In March, Tanya Brewer, NVD program manager, announced the creation of a consortium to solve the problems, but specific details remain unknown. At this time, private companies such as RiskHorizon.ai We have launched our own platform called "NVD Backlog Tracker" to track raw vulnerabilities.
Company RiskHorizon.ai It stated that it covers 85% of raw vulnerabilities, providing data on their criticality and exploitation activity, but access to the platform is subject to a fee.
Other companies, such as Trend Micro and VulnCheck, are also actively publishing new vulnerabilities, offering an alternative to NVD.
On May 8, the US Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the Vulnerability program to add metadata to vulnerabilities. MITRE, which manages the CVE program, also approved new rules for organizations that assign CVEs.
While current measures are helping to reduce the backlog in vulnerability analysis, the CEO said: RiskHorizon.ai he believes that long-term solutions are needed. He suggests automating the process of vulnerability disclosure, which, in his opinion, will make it possible to deal with the problem more effectively.
