Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Updates in the work allowed the institute to cope with the backlog of errors.
The National Institute of Standards and Technology (NIST) announced that it was able to process the entire backlog of outstanding vulnerabilities, but admitted that it would not be possible to completely eliminate the delay before the end of the year.
At the beginning of the year, it turned out that due to the reduction of NIST resources, thousands of critical vulnerabilities were not analyzed and enriched with additional data. Enrichment is the process of adding detailed information about a vulnerability to the NVD database.
With the help of CISA and several private companies, NIST now has a full team of analysts and has begun to promptly process all new vulnerability records as soon as they become available. In addition, all vulnerabilities from the KEV catalog that remained in the queue were analyzed. Now all new vulnerabilities are also addressed in a timely manner.
In September, VulnCheck reported that as of September 21, more than 18,000 vulnerabilities were still unresolved in the database, which is about 72.4% of all CVE records. At the same time, almost half of these vulnerabilities have already been exploited by hackers, but have not yet been analyzed in detail.
NIST noted that it had previously expected to handle all vulnerabilities by the end of the year, but this plan turned out to be too optimistic. The problem is that data from Authorized Data Providers (ADPs), such as CISA, comes in formats that require additional processing. New systems are now being developed that will help process such data faster.
CISA became the first official data provider for NIST this year, allowing the agency to feed new vulnerabilities directly into the system. At the moment, NIST has not specified if there are other providers besides CISA.
Meanwhile, the NVD is introducing system updates from November 18, 2024, which will allow the collection of more granular data from certified sources (CNA and ADP). CVE records will now include more information such as links, CWEs, and CVSS scores, which will be displayed on the site and through the API. This will lead to more frequent updates to records, so companies should be prepared for more data.
In addition, NVD will improve the handling of duplicate links: tags will be automatically applied to all duplicate links. The order in which events in the CVE history are displayed will also be updated. Legacy API parameters such as HasCertAlerts and HasOval will also be removed, making it easier to find vulnerabilities. Support for the new CVSS v4.0 will allow for more accurate risk assessment based on updated criteria.
Earlier in April, cybersecurity experts sent a letter to Congress and U.S. Secretary of Commerce Gina Raimondo asking for additional funding to support NVDs. The letter to Congress highlights that the failure to restore NVD functionality threatens the safety of all, pointing to recent incidents such as the cyberattack on Change Healthcare, which paralyzed the healthcare industry for weeks.
On May 8, CISA announced the launch of the Vulnrichment program to add metadata to vulnerabilities. MITRE, which manages the CVE program, has also approved new rules for organizations that assign CVEs. Dozens of cybersecurity experts have previously signed a letter addressed to Congress and U.S. Secretary of Commerce Gina Raimondo, urging them to fund and protect NVD, calling it "critical infrastructure for a multitude of cybersecurity products".
Source
The National Institute of Standards and Technology (NIST) announced that it was able to process the entire backlog of outstanding vulnerabilities, but admitted that it would not be possible to completely eliminate the delay before the end of the year.
At the beginning of the year, it turned out that due to the reduction of NIST resources, thousands of critical vulnerabilities were not analyzed and enriched with additional data. Enrichment is the process of adding detailed information about a vulnerability to the NVD database.
With the help of CISA and several private companies, NIST now has a full team of analysts and has begun to promptly process all new vulnerability records as soon as they become available. In addition, all vulnerabilities from the KEV catalog that remained in the queue were analyzed. Now all new vulnerabilities are also addressed in a timely manner.
In September, VulnCheck reported that as of September 21, more than 18,000 vulnerabilities were still unresolved in the database, which is about 72.4% of all CVE records. At the same time, almost half of these vulnerabilities have already been exploited by hackers, but have not yet been analyzed in detail.
NIST noted that it had previously expected to handle all vulnerabilities by the end of the year, but this plan turned out to be too optimistic. The problem is that data from Authorized Data Providers (ADPs), such as CISA, comes in formats that require additional processing. New systems are now being developed that will help process such data faster.
CISA became the first official data provider for NIST this year, allowing the agency to feed new vulnerabilities directly into the system. At the moment, NIST has not specified if there are other providers besides CISA.
Meanwhile, the NVD is introducing system updates from November 18, 2024, which will allow the collection of more granular data from certified sources (CNA and ADP). CVE records will now include more information such as links, CWEs, and CVSS scores, which will be displayed on the site and through the API. This will lead to more frequent updates to records, so companies should be prepared for more data.
In addition, NVD will improve the handling of duplicate links: tags will be automatically applied to all duplicate links. The order in which events in the CVE history are displayed will also be updated. Legacy API parameters such as HasCertAlerts and HasOval will also be removed, making it easier to find vulnerabilities. Support for the new CVSS v4.0 will allow for more accurate risk assessment based on updated criteria.
Earlier in April, cybersecurity experts sent a letter to Congress and U.S. Secretary of Commerce Gina Raimondo asking for additional funding to support NVDs. The letter to Congress highlights that the failure to restore NVD functionality threatens the safety of all, pointing to recent incidents such as the cyberattack on Change Healthcare, which paralyzed the healthcare industry for weeks.
On May 8, CISA announced the launch of the Vulnrichment program to add metadata to vulnerabilities. MITRE, which manages the CVE program, has also approved new rules for organizations that assign CVEs. Dozens of cybersecurity experts have previously signed a letter addressed to Congress and U.S. Secretary of Commerce Gina Raimondo, urging them to fund and protect NVD, calling it "critical infrastructure for a multitude of cybersecurity products".
Source
