NIST to stop rating non-priority flaws due to volume increase

NIST to Stop Rating Non-Priority Flaws Due to Volume Increase

1. Executive Summary

• A major shift in vulnerability processing: the National Institute of Standards and Technology (NIST) will stop assigning severity scores to lower-priority vulnerabilities as a response to growing submission volumes.
• Effective change: since April 15, 2026, the handling of vulnerabilities focuses on issues that meet specific risk-related criteria, while the rest are not enriched with severity or extended details.
• Central mechanism: the National Vulnerability Database (NVD) will continue to list all submitted CVEs, but many low-priority entries will carry only the CNA-provided assessment and no added enrichment from NVD.

1. What Is Changing in Practice

• Scope of enrichment: NVD will restrict the enrichment of vulnerability details (such as severity rating, affected products, and mitigation links) to a subset of CVEs that meet predefined risk criteria.
• Visibility of all CVEs: every submitted CVE remains in NVD, preserving the comprehensive record, but low-priority items may not receive the full risk-context enhancements.
• Terminology shift: CVEs not meeting the enrichment criteria will be labeled as “Not Scheduled” rather than receiving the usual NVD risk-context enrichment.

1. Criteria for Enrichment (When NVD Will Provide Additional Details)

• The vulnerability is in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
• The vulnerability affects software used by the U.S. federal government.
• The vulnerability involves critical software as defined by Executive Order 14028 (EO 14028).

1. Rationale Behind the Change

• Capacity and workload pressures: NIST cited a surge in vulnerability submissions, with a reported 263% increase and accelerated growth into 2026.
• Resource allocation: the organization enriched tens of thousands of CVEs in 2025 (approximately 42,000), but the sheer volume outpaced the ability to maintain full enrichment for every entry.
• Strategic focus: by prioritizing CVEs with the greatest potential for widespread impact, NIST aims to maintain utility for risk management while addressing the riskiest issues first.

1. How CVEs Are Indexed in NVD Under the New Regime

• Core function preserved: the NVD remains a public, centralized repository for known vulnerabilities, including CVE IDs and vendor information from CNAs such as MITRE.
• Enrichment versus listing: all CVEs continue to appear in NVD, but the depth of data (descriptions, patches, advisories, patch links) will be selectively applied based on the enrichment criteria.
• Not Scheduled designation: CVEs that do not meet the criteria will be categorized as not scheduled for enrichment, signaling that they may still have impact but are deprioritized for automated risk-context enhancement.

1. Enrichment Requests and Exceptions

• Higher-priority path: CVEs that do not meet the enrichment criteria but are still potentially impactful are not ignored entirely.
• Optional enrichment channel: for cases where a CVE represents a significant risk despite being low priority, enrichment requests can be submitted via email to nvd@nist.gov.
• Human review fallback: this process provides a backstop so that particularly important entries can still receive targeted scrutiny and context when warranted.

1. Implications for Stakeholders

• Security researchers and IT professionals: the default expectation of detailed risk context may be less automatic for lower-priority CVEs; targeted inquiries may be needed for specific issues.
• Vendors and software suppliers: the standard CVE record remains, but the broader enrichment and commentary may not be automatically populated for every low-priority vulnerability.
• Government agencies: critical and KEV-listed vulnerabilities continue to receive attention and richer data when applicable, maintaining prioritized risk management capabilities.

1. Timeline and Operational Details

• Effective date: the changes began with the April 15, 2026, operational shift, aligning NVD’s enrichment activities with the increased CVE flow.
• Ongoing listing: the NVD will persist as a comprehensive repository of submitted vulnerabilities, ensuring traceability and historical context even when enrichment is not provided for every item.
• Future adjustments: NIST noted that enrichment remains possible for “any lowest priority CVEs” upon request, ensuring a mechanism exists to surface critical information when needed.

1. Context and Related Knowledge

• CVE ecosystem: CVE IDs are assigned by CNAs, with MITRE serving as a central, not-for-profit coordinator in many cases, and NVD acting as a public-facing enrichment and indexing layer.
• Risk management objective: the enrichment function is intended to support risk assessment, version-specific impact analysis, vulnerability prioritization, and remediation planning, but resource constraints necessitated a prioritized approach.

1. Summary of Core Points

• NVD will no longer automatically enrich all low-priority CVEs with severity scores and detailed product context.
• Enrichment will be reserved for CVEs meeting KEV, U.S. federal government impact, or critical software criteria as defined by EO 14028.
• The NVD will still archive all CVEs, with some entries marked Not Scheduled for enrichment.
• Exceptions and targeted enrichment remain possible through direct outreach to nvd@nist.gov for cases deemed high risk despite lower priority categorization.