All news with #nvd tag

🔍 A healthcare customer bought servers in 2017 and, due to COVID-era lifecycle extensions and current supply-chain bottlenecks, now faces expiring vendor support and long lead times that prevent timely hardware refresh. The article recommends building a complete inventory using scanners (Nessus, Qualys, Rapid7, Greenbone/OpenVAS), network discovery (Nmap) and device fingerprinting (runZero), then mapping assets to NVD and CISA Known Exploited Vulnerabilities (KEV). Use a weighted risk formula to prioritize remediation and sort systems into immediate, managed, and monitored tiers. Document risk acceptance, deploy compensating controls where needed, and consider continuous monitoring with Wazuh.

🔍 NIST will stop providing severity scores and detailed enrichment for lower-priority CVEs beginning April 15, citing a surge in submissions that has overwhelmed its capacity. The National Vulnerability Database will continue to list all reported CVEs, but entries deemed low priority will keep only the severity assigned by the submitting CNA. NIST will only add detailed analysis for issues in CISA’s KEV, those affecting U.S. federal software, or critical software defined by EO 14028; organizations may request enrichment for low-priority entries via email to nvd@nist.gov.

🔒 NIST will only enrich CVEs in its NVD that meet defined high-priority criteria, citing a 263% surge in submissions from 2020–2025 that overwhelmed its enrichment capacity. Effective April 15, 2026, NIST will prioritize CVEs in CISA's KEV catalog, those affecting software used by the federal government, and software designated critical under EO 14028. CVEs that do not meet those thresholds will remain listed but be marked "Not Scheduled"; stakeholders may request targeted enrichment via email.

🔍 NIST will restrict enrichment in its National Vulnerability Database to the most critical CVEs, prioritizing entries in CISA’s Known Exploited Vulnerabilities (KEV), software used by the federal government, and other critical products. All other CVEs will be ingested but marked as not scheduled, and the agency will stop recalculating severity scores when submitters provide their own. The move follows a surge in submissions and a backlog of more than 30,000 CVEs, and NIST says it will adopt automation and delegate tasks to CNAs to stabilize NVD operations.

📢 NIST announced a major operational change to the National Vulnerability Database (NVD), moving to a risk-based enrichment model and ceasing enrichment for all CVEs reported before March 1, 2026. The NVD will prioritize vulnerabilities in software used by the US federal government, critical software under Executive Order 14028, and entries on the CISA Known Exploited Vulnerabilities (KEV) list. CVEs that don't meet those criteria will be labeled Not Scheduled, though all submissions will still be ingested and users may request enrichment by emailing nvd@nist.gov.

🔒 The Cybersecurity and Infrastructure Security Agency and MITRE have renegotiated the contract supporting the 26-year-old CVE program, averting the imminent funding cliff that triggered a one-day panic in 2025. Sources indicate the program has been elevated from a discretionary line to a protected budget item within CISA, providing multi-year operational stability. While the move reduces near-term shutdown risk, the agreement remains opaque to many stakeholders and raises outstanding questions about modernization, performance measurement, and governance.

🔎 The EU-hosted GCVE.eu aggregates advisories from more than 25 public sources and is operated by CIRCL with co-funding from the EU's FETTA project, aiming to reduce reliance on the US-run CVE/NVD. Experts applaud redundancy but warn that without enforced mapping, automated cross-referencing, and strong governance, parallel identifiers risk creating fragmented silos. GCVE.eu says it supports cross-referencing, distributed allocation, and open-source tooling to aid coordinated disclosure and integration.

🌐 The open-source Global Cybersecurity Vulnerability Enumeration (GCVE) has launched as a community-driven, European-headquartered alternative to the US-led CVE program. Hosted by CIRCL at db.gcve.eu, the initiative aggregates vulnerability data from more than 25 public sources and empowers GCVE Numbering Authorities (GNAs) to allocate identifiers independently. Backers say the model reduces single points of failure, strengthens digital sovereignty by combining open-source software with European-controlled infrastructure, and—if kept compatible with existing conventions—could speed and diversify vulnerability disclosure without causing tracking misalignment.

🛡️ The EU-backed GCVE has launched a free, public vulnerability database at db.gcve.eu to reduce reliance on U.S.-centric CVE identifiers and strengthen European digital sovereignty. Using a decentralized GNA model and aggregating more than 25 public sources, the platform normalizes and indexes vulnerability data to allow autonomous assignment and publication of identifiers without central approval. An open API supports integration with compliance and risk tools so security teams, vendors, and researchers can track and assess reports across ecosystems.

🛡️SecAlerts provides real-time vulnerability alerts that avoid the publication delays commonly associated with NVD by aggregating signals from 100+ sources including vendors, researchers, forums and blogs. The service uses three core components — Stacks (software inventories and SBOMs), Channels (Email, Slack, Teams, Webhook) and Alerts (custom filters for Severity, Known Exploited, EPSS, Trending) — to deliver only relevant notifications. A central Dashboard surfaces affected software, extended metadata and reference links, while Properties enable multi-tenant views useful for MSPs and departments.

🛡️ CISA released "CISA Strategic Focus: CVE Quality for a Cyber Secure Future," a roadmap that shifts the CVE Program from its Growth Era to a Quality Era emphasizing trust, responsiveness, and improved vulnerability data. The plan highlights expanded community partnerships, potential diversified government sponsorship, technological modernization, and stronger transparency and communications. It also prioritizes data quality improvements, including standardized enrichment approaches such as Vulnrichment and expanded Authorized Data Publisher capabilities.

🔒CISA reaffirms federal leadership of the CVE Program, arguing that a neutral, government steward is essential to preserve trust and national security. The agency ties the program to operational initiatives such as the Known Exploited Vulnerabilities (KEV) Catalog and warns that privatization or fragmentation would erode reliability and increase risk. CISA outlines a shift from a 'Growth Era' to a 'Quality Era' focused on improving completeness, accuracy, timeliness, governance, and sustainable infrastructure, and invites practitioners, industry, and international partners to help shape the program's future.