NIST gives up enriching most CVEs
5 hours ago
- #Vulnerability Management
- #NIST Policy Change
- #Cybersecurity News
- NIST announced it will only enrich data for important CVEs, focusing on those in CISA KEV, software used by US federal agencies, and critical software.
- The policy change is due to budget constraints and an overwhelming number of vulnerabilities, with NIST falling behind by tens of thousands of bugs.
- NIST will stop providing its own CVSS scores, using scores from CVE issuers instead, which may lead to underreporting of severity by software makers.
- The shift affects vulnerability management companies that relied on NVD data, forcing them to find alternative sources or enrich data themselves.
- AI cybersecurity agents are expected to increase vulnerability discoveries, exacerbating the challenge of managing CVE data.
- Additional cybersecurity news includes Russian hackers targeting Swedish and Ukrainian entities, ransomware attacks, and various tech updates.