In February 2024, the cybersecurity community noticed something alarming: the National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), had dramatically slowed its processing of new CVEs. By March, the slowdown had become a crisis. Thousands of newly published CVEs sat in the database without the enrichment data, CVSS scores, CPE (Common Platform Enumeration) matches, and reference links, that security teams and automated scanning tools depend on.
This was not a minor operational hiccup. The NVD is the backbone of vulnerability management for the entire industry. When it stops working, the ripple effects touch every organization that uses vulnerability scanners, compliance tools, or risk management platforms.
What Happened
NIST published a brief notice on their NVD website in February 2024 acknowledging delays in the analysis of CVEs. They attributed the issue to a combination of "an increase in software and, therefore, vulnerabilities" and "a change in interagency support." The statement was vague, and NIST did not provide further details.
What became clear through external analysis was that NVD enrichment rates had fallen off a cliff. VulnCheck, a vulnerability intelligence company, tracked the numbers and found that in February and March 2024, the NVD was enriching only a small fraction of the CVEs being published. By mid-March, the backlog of unenriched CVEs had grown to over 10,000.
To put this in perspective, the NVD typically processes CVEs within days of publication, adding CVSS scores, CPE data (which maps vulnerabilities to specific software products and versions), and reference links. This enrichment is what transforms a bare CVE identifier into actionable vulnerability intelligence. Without it, a CVE is just a number and a description.
Why Enrichment Matters
The NVD's enrichment data serves several critical functions:
CVSS scores provide standardized severity ratings that organizations use to prioritize remediation. Without CVSS scores, security teams lose their primary triage mechanism. Is a new CVE critical or informational? Without the NVD's analysis, many teams cannot make that determination at scale.
CPE data maps vulnerabilities to specific software products and versions. This is what allows vulnerability scanners to match CVEs against your software inventory. Without CPE data, automated scanning tools cannot reliably identify whether you are affected by a given vulnerability.
Reference links connect CVEs to vendor advisories, patches, and technical details. While this information is usually available from other sources, the NVD serves as a central index that tools and analysts rely on.
Many commercial vulnerability scanning tools, including widely used products from Tenable, Qualys, and Rapid7, incorporate NVD data as a primary or supplementary source. When the NVD stops enriching CVEs, these tools may miss newly published vulnerabilities or present them without severity context.
The Impact on Security Operations
The NVD slowdown created immediate problems for security teams:
Vulnerability scanners became less effective. Scanners that rely on NVD CPE data for matching could not identify systems affected by newly published CVEs that lacked enrichment.
Risk scoring broke down. Organizations that use CVSS scores to drive SLA-based remediation workflows could not assign severity to unenriched CVEs, creating ambiguity about whether a new vulnerability required a 24-hour response or could wait for the next patch cycle.
Compliance gaps emerged. Regulatory frameworks like PCI DSS and FedRAMP reference the NVD and CVSS scores. Organizations undergoing audits faced questions about how they were managing vulnerabilities that lacked NVD-assigned severity ratings.
False sense of security. Perhaps most dangerously, organizations that equated "no NVD enrichment" with "not a real vulnerability" may have deprioritized or ignored CVEs that were actively being exploited but had not yet been analyzed by NIST.
The Root Causes
While NIST did not provide detailed explanations, industry observers pieced together several contributing factors:
Budget and staffing constraints. The NVD analysis team reportedly experienced staffing changes and budget pressure. The work of enriching CVEs, which involves manual analysis by trained security professionals, cannot scale indefinitely without corresponding resource increases.
Explosive CVE growth. The number of CVEs published annually has been growing steadily. In 2023, over 28,000 CVEs were published, up from around 25,000 in 2022. The pace of software development, combined with increased vulnerability discovery and disclosure, means the NVD's workload grows every year.
Interagency changes. NIST's vague reference to "changes in interagency support" suggested that contract or staffing arrangements with other government agencies had changed, reducing the NVD's capacity.
CISA Steps In
Recognizing the criticality of the situation, CISA announced in April 2024 that they would establish a "Vulnrichment" program to supplement the NVD's enrichment efforts. CISA committed to providing CVSS scores, CWE classifications, and CPE data for CVEs in their Known Exploited Vulnerabilities (KEV) catalog and other high-priority CVEs.
This was a welcome development but also an acknowledgment that the single-source dependency on the NVD was a structural vulnerability in the national cybersecurity infrastructure. CISA's Vulnrichment program prioritized actively exploited vulnerabilities, which is sensible from a risk perspective but still left thousands of CVEs without enrichment.
Diversifying Vulnerability Intelligence
The NVD slowdown forced the industry to seriously consider diversifying its vulnerability intelligence sources. Organizations that relied solely on the NVD found themselves blind. Those that supplemented NVD data with additional sources were better positioned:
Vendor advisories provide the most authoritative and timely information about vulnerabilities in specific products. Microsoft, Red Hat, Cisco, and other major vendors publish advisories with their own severity ratings and affected version data.
GitHub Security Advisories and the OSV (Open Source Vulnerabilities) database provide vulnerability information for open source packages that is often more timely and accurate than NVD data.
VulnCheck, Snyk, and other commercial providers maintain their own vulnerability databases with independent analysis that does not depend on NVD enrichment.
The lesson is clear: treating the NVD as the sole source of truth for vulnerability intelligence is a single point of failure that organizations should address in their vulnerability management programs.
How Safeguard.sh Helps
Safeguard.sh is designed to provide reliable vulnerability intelligence regardless of NVD enrichment delays. Our platform aggregates vulnerability data from multiple sources, including vendor advisories, open source vulnerability databases, and our own analysis, ensuring that you have actionable information about new CVEs even when the NVD is backlogged. When the NVD eventually enriches a CVE with CVSS scores and CPE data, Safeguard.sh incorporates that data automatically. But you do not have to wait for NIST to do your job. Our SBOM-driven approach matches vulnerabilities against your actual software inventory using package-level data that does not depend on CPE matching, providing more accurate and timely vulnerability identification.