The cybersecurity community is sounding the alarm over persistent challenges facing the US National Vulnerability Database (NVD), raising concerns about a potential supply chain security crisis.

A coalition comprising 50 cybersecurity experts has penned an open letter to US Secretary of Commerce Gina Raimondo and select members of Congress. Titled 'A Call to Action: Addressing Critical Issues in the National Vulnerability Database,' the letter urges swift intervention to investigate and rectify ongoing issues plaguing the NVD.

The concerns first arose in early March when a noticeable decline in vulnerability enrichment data uploads was observed on the NVD platform, starting around mid-February. While new vulnerability entries, known as CVEs, continued to be logged, many lacked comprehensive analysis. This led to crucial metadata such as Common Weaknesses and Exposures (CWEs) and criticality scores (CVSS) being omitted from the database. At the same time, NIST's own figures reveal that only a fraction of received CVEs have been analysed thus far this year.

In response to mounting concerns, NIST initiated an industry consortium in late March to solicit support for the NVD program's sustained operation. However, stakeholders emphasise the urgent need to address the existing backlog, given the NVD's pivotal role as a primary resource for vulnerability information globally.

dig.watchNIST to transfer software vulnerability repository to industry consortiumThe US National Institute of Standards and Technology (NIST) confirmed the transition of managing the National Vulnerability Database (NVD) to an industry consortium, announced by NVD program manager Tanya Brewer... 1 Apr 2024 dig.watchNIST to transfer software vulnerability repository to industry consortiumThe US National Institute of Standards and Technology (NIST) confirmed the transition of managing the National Vulnerability Database (NVD) to an industry consortium, announced by NVD program manager Tanya Brewer... 1 Apr 2024

The letter advocates for several measures: first, resolving the current NVD backlog, and second, undertaking a comprehensive overhaul of vulnerability disclosure and management processes within the NVD program. To this end, Congress is urged to intervene by investigating ongoing issues, ensuring NIST has the necessary resources for immediate restoration, and laying the groundwork for long-term improvements.

The signatories propose practical recommendations to achieve these goals, including interim measures to streamline data relay, establishing transparent improvement plans with stakeholder input, and securing sustained funding for NVD operations.

The signatories represent a diverse array of stakeholders, including open-source organizations and leading security vendors. They underscore the critical importance of addressing NVD issues promptly to safeguard global cybersecurity interests.