For most of 2024, the cybersecurity community watched a slow-motion crisis unfold at the National Vulnerability Database. Processing ground to a near-halt in February, backlogs ballooned past 18,000 unanalyzed CVEs, and organizations relying on NVD enrichment data found themselves flying partially blind. By November, NIST announced a path forward: a new consortium-based model to share the burden and modernize the infrastructure.
This is the story of what broke, what changed, and what it means for vulnerability management going forward.
The Slowdown Nobody Saw Coming
The NVD has been the backbone of vulnerability management since 2005. Security scanners, SCA tools, SBOM enrichment platforms, and compliance workflows all depend on NVD data. When NIST began falling behind on CVE analysis in early 2024, the ripple effects were immediate.
By March, the backlog was visible. New CVEs were being published by MITRE's CVE Program, but NVD enrichment, including CVSS scoring, CPE matching, and reference tagging, was weeks or months behind. Some CVEs sat unanalyzed for over 90 days.
The root cause was a combination of factors:
- Budget constraints limiting NIST's ability to staff the program adequately
- Exponential CVE growth, with 2024 on pace to exceed 35,000 new CVEs
- Technical debt in NVD infrastructure that made processing increasingly manual
- Contract transitions that created gaps in analytical capacity
NIST initially responded by prioritizing CVEs in CISA's Known Exploited Vulnerabilities (KEV) catalog and other high-risk entries, but the general backlog continued to grow.
Community Response and Interim Solutions
The security community did not wait for NIST to fix things. Several parallel efforts emerged:
CISA's Vulnrichment Program became a critical stopgap. CISA began publishing its own CVE enrichment data, including CVSS scores and CWE classifications, through the CVE.org infrastructure. By mid-2024, CISA had enriched thousands of CVEs that NVD had not yet processed.
OSV.dev, Google's open-source vulnerability database, saw increased adoption. Unlike NVD, OSV maps vulnerabilities directly to package versions rather than CPE strings, making it more natural for software composition analysis.
GitHub Advisory Database continued its own independent enrichment, providing another source of vulnerability data for the open-source ecosystem.
Commercial vendors like VulnCheck began offering their own CVE enrichment services, effectively competing with the function NVD had historically provided for free.
The Consortium Model
In November 2024, NIST announced the formation of a new consortium to support NVD operations. The model draws from successful precedents in other standards bodies, where industry stakeholders share the operational and financial burden of maintaining critical infrastructure.
Key elements of the consortium approach:
Shared enrichment responsibility. Rather than NIST handling all CVE analysis internally, consortium members contribute analytical resources. This distributes the workload across organizations that already maintain vulnerability research capabilities.
Modernized data formats. The consortium is accelerating the transition from CPE-based product identification to Package URL (purl) and other more granular identification schemes. This addresses a long-standing complaint that CPE strings are too coarse for modern software composition.
API improvements. The NVD 2.0 API, which replaced the legacy data feeds in late 2023, is being enhanced with better rate limiting, webhook support, and more granular query capabilities.
Sustainable funding. The consortium model creates a pathway for industry funding that supplements federal appropriations, reducing the vulnerability of NVD operations to budget cycles.
What the Backlog Revealed
The NVD crisis exposed structural issues that go beyond staffing:
Single point of failure. The global vulnerability management ecosystem had an unhealthy dependence on a single government-operated database. When NVD faltered, there was no seamless failover.
CPE limitations. The Common Platform Enumeration system, designed in an era of commercial software, struggles with the granularity needed for open-source components. Matching a CVE to affected npm packages, Python modules, or Go modules via CPE strings is inherently imprecise.
Enrichment as a bottleneck. The gap between CVE publication and NVD enrichment matters because most vulnerability management tools consume the enriched data, not raw CVE records. Without CVSS scores and product matching, a CVE is just a description.
Scale mismatch. CVE volume has grown roughly 25% year-over-year, but NVD processing capacity has not scaled proportionally. The consortium model attempts to address this structural mismatch.
Impact on Vulnerability Management Practices
Organizations that relied exclusively on NVD data learned hard lessons in 2024:
Multi-source vulnerability intelligence is no longer optional. Teams need to consume data from NVD, OSV, GitHub Advisories, CISA Vulnrichment, and vendor-specific sources. Relying on any single source creates unacceptable blind spots.
SBOM-based vulnerability matching changes the equation. When you have accurate SBOMs with Package URLs, you can match against vulnerability databases that use the same identifiers, bypassing the CPE bottleneck entirely.
Timeliness matters more than completeness. A vulnerability that has been actively exploited for two weeks but lacks an NVD enrichment entry is still a critical risk. Organizations need processes that can act on partial vulnerability data.
The Broader Ecosystem Shift
The NVD situation is accelerating a broader shift in how vulnerability data is produced, distributed, and consumed:
Decentralized enrichment. Multiple authoritative sources contributing vulnerability metadata, rather than a single central authority. The CVE Program's move to allow CNAs (CVE Numbering Authorities) to publish enrichment data supports this direction.
Package-native vulnerability tracking. Language-specific advisory databases (RustSec, npm advisories, PyPI advisories) provide faster, more accurate vulnerability data for their ecosystems than NVD can.
Continuous vulnerability monitoring. The batch-processing model, where organizations periodically scan against a database snapshot, is giving way to streaming approaches where new vulnerability data triggers immediate reassessment.
What to Watch
The consortium is still in its formative stages. Several questions remain:
- Governance structure: How will decisions about enrichment standards, data quality, and priorities be made across consortium members?
- Data consistency: With multiple enrichment sources, how will conflicting CVSS scores or product matches be reconciled?
- Backlog clearance: NIST has committed to clearing the existing backlog, but the timeline remains uncertain.
- Long-term sustainability: Will the consortium model attract sufficient industry participation to remain viable?
How Safeguard.sh Helps
The NVD disruption reinforced a principle Safeguard.sh was built around: vulnerability intelligence should never depend on a single source.
Safeguard.sh aggregates vulnerability data from multiple sources, including NVD, OSV, GitHub Advisories, and vendor feeds. When NVD enrichment is delayed, Safeguard.sh still provides actionable vulnerability data through alternative sources.
More importantly, Safeguard.sh uses SBOM-native vulnerability matching. By working with Package URLs and direct package identifiers rather than relying exclusively on CPE strings, Safeguard.sh provides faster and more accurate vulnerability matching, regardless of NVD processing timelines.
For organizations navigating the evolving vulnerability data landscape, Safeguard.sh provides the multi-source intelligence and SBOM-driven matching that the NVD crisis proved essential.