The NVD is an essential resource used by cybersecurity professionals and researchers all over the world to identify and mitigate vulnerabilities in software and firmware. Since the start of a significant slowdown in the processing of vulnerabilities in February, NVD has made progress in processing the backlog of submitted vulnerabilities. Using a new dashboard Fortress is updating daily, we're going to look at the current progress, the volume of new CVEs being submitted, and estimate what's needed to clear the backlog.
NVD Overview and Enrichment Issues
Since Feb 17, 2024, staff at the US National Institute of Standards and Technology
(NIST) have had reduced capacity enriching CVE vulnerability data added to the National Vulnerability Database (NVD). NVD is repository of vulnerability information on security-related software flaws, severity score, misconfigurations, product names, impact metrics, and patching status.
Vendors, researchers, bug bounty programs, or others submit their information to NVD for 'enrichment'. This process adds and refreshes metadata from the CVE Numbering Authority (CNA) community, including:
- Common Vulnerability Scoring System (CVSS) scores and metrics
- Common Platform Enumerations (CPE), an identifier used to associate products impacted by the CVE
- Vulnerability descriptions
- Common Weakness Enumerations (CWE) data, categories of software and hardware flaws, errors, bugs, and other weaknesses
- Patching status
- Links to mitigations, research references, etc...
One of the most significant impacts has been the lack of a CVSS severity score. This score is utilized by organizations to prioritize efforts to remediate vulnerabilities. CVE identification and creation never stopped or slowed down, but the information provided in recently submitted CVE entries is limited to what was provided by the submitter. Example CVE-2024-26667, published on April 2, 2024:
The Good News
Since the initial slow down NIST announced additional resources toward clearing the backlog on May 29, 2024, with an announced goal to clear the existing CVE backlog by the end of the Federal Government's fiscal year, September 30, 2024.
Additionally, while CVSS scoring may be missing from a neutral party like NIST, the organization that reported the CVE often includes a preliminary CVSS score. Many of the largest vendors (i.e. Microsoft, Google, IBM, Oracle, Apple, etc.) are the ones who report and provide initial information on newly published CVEs for their own products, so the preliminary score in NVD may be what the vendor estimated.
NVD is now including data from the Cybersecurity and Infrastructure Security Agency (CISA) 'Vulnrichemnt' program which includes CVSS and CWE information.
Longer-term, NIST is working on forming a public-private consortium to better support the ever-increasing volume of CVEs with additional resources and feature development that the security community has been requesting for a long time.
Trend Analysis
Fortress' NVD CVE Analysis Rate Report tracks and calculates several metrics on a daily basis, including how many CVE were received vs analyzed over the last day, week, month, and year.
As of July 18th, there is a backlog of 16672 CVEs awaiting analysis with 20.87% of new CVEs analyzed in June. The percentage of new CVEs analyzed this month increased sharply from the previous month as we start to see the impact of increased resources, however the CVE backlog is still increasing.
We've also estimated the rate of analysis need to clear the backlog by the end of December 2024, along with the rate needed to additionally manage the average daily submissions to the database. The rate needed to clear the backlog alone is 100 per day, while the average daily rate in June 2024 was around 21 per day. Factoring in the number of new daily submissions requires processing to be at a level of 214 per day.
Based on those current rates we can forecast what the state of the backlog will be by the end of the year, if the current trend continues there will still be backlog in excess of 30,000 CVE's. However, based on current trends we anticipate the processing rate will continue to accelerate, and estimate the NVD should recover sometime between October 1, 2024, to March 31, 2025.
Follow Up
Fortress is a leader in supply chain risk information on vendors and products in critical infrastructure and the only organization that produces deep-dive hardware and software bills of material analysis reports. For more information on this situation and what Fortress is doing to respond, download our analysis.
Fortress has seen a limited impact on our product evaluations of established assets and does not anticipate dramatic gaps in report quality. Additionally, while NVD is recovering we are collecting data from the organizations who reported the vulnerability (CNAs) to provide the available severity and prioritization information available. We continuously monitor for new information from NVD and will update product vulnerability information as new information becomes available.