Tech »  Topic »  CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

CVE and NVD – A Weak and Fractured Source of Vulnerability Truth


MITRE is unable to compile a list of all new vulnerabilities, and NIST is unable to subsequently, and consequently, provide an enriched database of all vulnerabilities. What went wrong, and what can be done?

The Common Vulnerabilities and Exposures (CVE) List and the consequent National Vulnerability Database (NVD) can no longer be considered a single central source of vulnerability truth.

Nobody doubts that the current CVE system can and should be improved. Overseen by MITRE (sponsored by the DHS), the CVE List is absorbed and its data enriched by NIST in the NVD. MITRE is responsible for the vulnerability numbering system, while the NVD has become the cyber defenders’ source of truth on the vulnerabilities.

Since mid-February 2024, a banner has appeared at the head of NVD entries: “NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You ...


Copyright of this story solely belongs to securityweek . To see the full text click HERE