Lord of the CVEs: NVD crisis. The NVD website currently has a banner:
“NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”
In fact, NVDs have completely stopped enriching CVE data (CVSS, CWE, CPE). And panic is growing in the global near-VM community. Almost everyone used NVD’s publicly available content and took it for granted. It turned out that everything could stop and consumers of NVD content would have to self-organize and obtain new sources of such data, like the kids in Golding’s Lord of the Flies. 🙂🐚🐷🪰
I still believe that these are temporary difficulties that will be solved by the reorganization of NVD. But if not, then it will be interesting to see where this leads. 🌝
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30) | Alexander V. Leonov
Pingback: I generated a report on the March Linux Patch Wednesday | Alexander V. Leonov