nvd
Safeguard articles tagged "nvd" — guides, analysis, and best practices for software supply chain and application security.
18 articles
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong
One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.
Why NVD alone is not enough: the case for multi-source vulnerability intelligence
NIST now fully enriches a fraction of CVEs — on April 15, 2026 it moved to a triage model that leaves most of 2025's 48,185 published CVEs without a timely severity score.
NVD in the AI era: multi-source vulnerability intelligence
NVD's 2024 enrichment backlog exposed the risk of a single vulnerability feed. Here's how multi-source data and AI triage close the gap.
What is a known vulnerability?
A known vulnerability is a publicly disclosed, CVE-tracked flaw — and disclosure alone doesn't mean it's fixed, patched, or harmless.
CVE scoring inconsistencies across vulnerability databases
Why the same CVE can carry three different severity scores across NVD, GitHub, and vendor advisories — and how to prioritize anyway.
How Trivy sources vulnerability data (NVD, vendor advisor...
Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.
Open Source Vulnerability Database Comparison 2026
Comparing the major open source vulnerability databases in 2026: NVD, OSV, GHSA, GitLab Advisory, and ecosystem-specific feeds measured on coverage and freshness.
What is a Vulnerability Database
CVE, NVD, OSV, GHSA, KEV — vulnerability databases power every scanner's severity score. Here's how they're built, enriched, and where they fall short.
Open Source Vulnerability Databases Compared: NVD, OSV, GitHub Advisory, and More
Not all vulnerability databases are created equal. A detailed comparison of coverage, timeliness, accuracy, and practical usability across the major databases.
CVSS 4.0 Scoring Adoption: What Changed
Two years after CVSS 4.0's release, adoption remains uneven. Here is where scoring really changed, where it did not, and how to handle mixed datasets.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.