On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30). This is actually visible in their own statistics. At the moment, there are 19860 identifiers in the backlog. This week, 1136 new CVEs were received, and they analyzed only 510. And this is not some abnormal week, this happens regularly. They can’t cope with analyzing new vulnerabilities, they don’t have time to deal with the backlog. The crisis continues.
At the same time, for some reason, they write in the message that they have a full team of analysts, and they are addressing all incoming CVEs as they are uploaded into NVD system. But why do their statistics show the opposite?
They write that they processed all the vulnerabilities from CISA KEV. And that’s good. But CISA KEV only added 162 CVEs in 2024. It’s great that NVD was able to process these identifiers, but the achievement is, to put it mildly, not impressive.
Why can’t NVD process this backlog?
They write that the problem is in the format of data from Authorized Data Providers (ADPs), apparently meaning CISA Vulnrichment. NVD is currently unable to effectively import and enhance data in this format. In order to be able to do this, they are developing some “new systems”.
Not only have they admitted their inability to analyze vulnerabilities on their own and their willingness to use the results of someone else’s analysis as is, they also cannot write parser-converters in any adequate time. 🐾 I have no words. 🤦♂️
And now there is news that US Senator Rand Paul, the new chairman of the Senate Homeland Security Committee, has promised to seriously reduce the powers of CISA or eliminate them completely. 😁 It’s all because of CISA’s work “to counter disinformation” before the US elections. So the only American information security regulator capable of doing anything useful in a reasonable amount of time could be destroyed. Great idea, comrades, keep it up. 👍
I expect nothing but further degradation.
