NIST Signals a Major Shift in Vulnerability Database Operations
The National Institute of Standards and Technology (NIST) has announced sweeping changes to how it manages records within the National Vulnerability Database (NVD), conceding that the volume of vulnerability submissions has grown beyond what its current workforce can handle. The agency, which has historically aimed to catalog and enrich every CVE (Common Vulnerabilities and Exposures) entry submitted to the database, will now selectively process only those records that meet newly defined priority thresholds.
The announcement, made on a Wednesday, marks a fundamental departure from NIST's longstanding mission to add context — including severity scores and descriptive information — to every CVE it receives.
The Numbers Behind the Decision
NIST's statement made the scale of the challenge clear. Submissions during the first three months of 2026 were already running nearly one-third higher than the same period in the previous year. Despite the agency reporting that it enriched nearly 42,000 CVEs in 2025 — representing a 45% increase over any prior year — that output has still proven insufficient to keep pace with the incoming surge.
The process known as "enrichment" refers to the practice of adding supplementary metadata to a raw CVE record after it is submitted to the NVD. This includes information such as vulnerability descriptions and CVSS severity scores that organizations rely on to assess risk and prioritize patching. CVEs that fall outside the new criteria will still be listed in the database but will receive no such additional information.
New Prioritization Rules Take Effect Immediately
Under the revised framework, NIST will focus its enrichment efforts on three categories of vulnerabilities:
- CVEs that appear in CISA's Known Exploited Vulnerabilities (KEV) catalog, which will be enriched within one day of notice from the Cybersecurity and Infrastructure Security Agency (CISA)
- CVEs affecting products used by the federal government
- CVEs present in software designated as "critical"
NIST stated that this risk-based approach is intended to help the agency concentrate resources on the most consequential vulnerabilities while it develops "the automated systems and workflow enhancements required for long-term sustainability."
The Unresolved Backlog Problem
Wednesday's announcement also brought an admission that had been long anticipated within cybersecurity circles: NIST will not be clearing its existing backlog of unenriched CVE records. Despite repeated commitments throughout the end of 2024 and into 2025 to resolve the backlog — a crisis that originated from severe funding and staffing constraints — the agency acknowledged failure on that front.
"Unfortunately, we have been unable to clear that backlog, in part due to the increasing rate of submissions. Therefore, when we implement the new prioritization criteria described above, we will move all backlogged CVEs with an NVD publish date earlier than March 1, 2026, into the 'Not Scheduled' category," the agency said.
NIST added that it would comb through the backlog to identify records meeting the new criteria and prioritize those, but the remainder will effectively be deprioritized indefinitely. Researchers seeking enrichment for specific CVEs that don't meet the automated criteria can submit requests directly by emailing NIST.
A Crisis That Has Been Building Since 2024
This latest announcement is the culmination of a prolonged struggle. In 2024, staff cutbacks and significant funding reductions at NIST triggered a situation where approximately 90% of vulnerability submissions were left unenriched. CISA stepped in during that crisis to enrich thousands of vulnerabilities on NIST's behalf, and a consortium was established to develop longer-term planning.
A senior leader at the NVD disclosed at the time that the program's staffing had remained flat at just 21 people, even as the number of annual CVE submissions continued to climb year after year. In response, dozens of cybersecurity professionals signed an open letter addressed to Congress and then-Secretary of Commerce Gina Raimondo, urging them to protect and fully fund the NVD.
The letter described the database as "critical infrastructure for a large variety of cybersecurity products" and warned:
"The NVD is integral to how every organization in the private and public sectors worldwide works to defend against vulnerability exploitation attacks targeting their technology systems. We are deeply concerned with the loss of this functionality and the lack of transparent communication from NIST about this issue to the cybersecurity community and organizations that depend on it."
AI Is Accelerating the Problem
Beyond budget and staffing constraints, cybersecurity experts and artificial intelligence companies have consistently flagged a structural driver of the submission surge: the democratization of AI-powered code review tools. These tools have made it significantly easier to identify vulnerabilities at scale, leading to a flood of new — though sometimes minor — CVE submissions across popular software products.
More recently, concerns have deepened around autonomous AI systems capable of discovering and immediately exploiting vulnerabilities without human direction, adding further urgency to the challenge of maintaining a usable, trustworthy vulnerability database.
Severity Scoring Also Changes
In addition to the enrichment restrictions, NIST also announced it will no longer generate its own independent severity scores for all submitted CVEs. Going forward, the agency will rely entirely on the scores provided by the submitter, rather than independently verifying or recalculating them.
NIST framed all of these changes as a necessary recalibration: "We recognize that these changes will affect our users. However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community."
Industry Reaction: Overdue, but Insufficient?
Trey Ford, a representative from Bugcrowd, offered measured commentary on the announcement. He suggested NIST was acknowledging a reality that security researchers had long recognized.
"What NIST is acknowledging is something the research community has understood for years: you cannot centralize vulnerability triage at this volume and expect it to hold. The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments."
Ford went further, suggesting the industry needs to rethink its approach to vulnerability prioritization altogether: "The next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles."
While NIST insists the changes will "ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities," the decision leaves a significant portion of CVEs — including some that NIST itself acknowledges "may have a significant impact on affected systems" — without the enrichment that organizations around the world depend on for risk management decisions. The agency admitted openly that the new rules "may not catch every potentially high-impact CVE."
Source: The Record