Safeguard
Concepts

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.

Priya Mehta
Security Analyst
6 min read

The National Vulnerability Database (NVD) is a U.S. government repository, maintained by the National Institute of Standards and Technology (NIST), that enriches publicly disclosed vulnerabilities with standardized severity scores, weakness classifications, and affected-product data. The NVD does not assign vulnerability identifiers itself. It builds on top of the CVE List, taking each published CVE record and adding a second layer of analysis: a CVSS severity score, a Common Weakness Enumeration (CWE) category describing the type of flaw, and Common Platform Enumeration (CPE) strings describing which products and versions are affected. For much of the security industry, the NVD is the default source that scanners, vulnerability management tools, and compliance workflows consume when they need a machine-readable severity and a list of affected configurations.

Why the NVD matters for supply chain security

Most automated security tooling was built assuming the NVD would be there. When a scanner tells you a dependency is "critical," it is very often reading a CVSS score that the NVD, not the original reporter, computed. When a policy gate blocks a deploy for any vulnerability above a severity threshold, that threshold is usually applied to NVD data. The NVD's enrichment is what makes severity-based triage possible at scale, so it sits directly on the critical path between a vulnerability being disclosed and your team deciding whether to act.

That centrality is also the NVD's biggest risk. Its usefulness depends on analyst throughput: a CVE can exist in the CVE List with a description but no NVD score for some time while it awaits analysis, during which severity-based filters simply do not see it. Its affected-product data, expressed as CPE strings, was designed for operating systems and commercial products and is notoriously imprecise for open source package ecosystems, where a flaw affects specific version ranges of a named package rather than a vendor product line. Understanding these limits is part of understanding modern vulnerability management concepts.

How the NVD works

The pipeline has two clear stages. First, a CVE Numbering Authority assigns an identifier and MITRE publishes the base CVE record, which contains the ID, a description, and references but little structured metadata. Second, the NVD ingests that record and performs its enrichment pass: analysts (increasingly aided by automation) assign a CVSS base score using a defined formula, tag the flaw with one or more CWE categories, and construct CPE match strings that express which product versions are in scope.

The NVD publishes all of this through public data feeds and an API, which is how downstream tools consume it programmatically rather than by reading web pages. CVSS itself has evolved through multiple revisions over the years, so the database can contain scores computed on different versions of the standard, and a given record's score reflects whichever revision was applied. Because the base CVE record and the NVD enrichment are produced by different processes on different schedules, there is an inherent lag between disclosure and a fully scored, fully classified NVD entry.

Key points at a glance

ElementWhat it addsFormat
CVSS scoreStandardized severity ratingNumeric score plus vector
CWEType of weaknessEnumerated category IDs
CPEAffected products and versionsMatch strings
Data feeds and APIMachine-readable accessPublic feeds and REST API
Relationship to CVEEnrichment layer, not ID sourceBuilt on the CVE List

How Safeguard uses NVD data

Safeguard consumes the NVD but does not depend on it alone, precisely because NVD data can lag and its CPE strings map poorly to package ecosystems. Our software composition analysis correlates NVD enrichment with ecosystem-native advisory sources that express affected ranges in package-aware terms, so a finding reflects your actual npm, PyPI, Maven, or crates.io versions rather than a loose CPE match. Where the NVD provides a CVSS score, we use it; where it is missing or imprecise, we fall back to complementary signals.

Griffin AI layers reachability and exploit context on top of raw NVD severity, so a "critical" CVSS score on a dependency your code never invokes is prioritized differently from one on a reachable, actively exploited path. SBOM Studio keeps a precise inventory of your resolved versions so that when the NVD publishes or updates an entry, Safeguard can immediately tell you whether it affects something you actually ship. The goal is to treat NVD data as one authoritative input, not the sole arbiter of risk.

Frequently Asked Questions

What is the difference between the CVE List and the NVD? The CVE List is the registry of vulnerability identifiers and their base descriptions, maintained through MITRE and the network of CVE Numbering Authorities. The NVD is a separate, NIST-run database that takes those CVE records and enriches them with CVSS scores, CWE classifications, and CPE affected-product data. One assigns and describes; the other scores and classifies.

Does the NVD assign CVE identifiers? No. Identifiers are assigned by CVE Numbering Authorities under the CVE program. The NVD ingests already-published CVE records and adds analysis on top. This is why a CVE can exist and be citable before the NVD has finished scoring or classifying it.

Why do some CVEs lack an NVD severity score? Because enrichment is a distinct, resource-dependent step that happens after a CVE is published. When analysis capacity is constrained or volume spikes, records can sit awaiting analysis with a description but no CVSS score, CWE, or CPE data. Tools that filter purely on NVD severity can miss these until the enrichment catches up.

Should I rely only on the NVD for vulnerability data? No. The NVD is authoritative and widely used, but its affected-product data is imprecise for open source packages and its scores can lag disclosure. Robust programs combine NVD data with ecosystem-native advisory databases, exploitation intelligence, and reachability analysis so prioritization reflects real, current risk.


Ready to correlate NVD data with your actual dependencies and reachable risk? Create a free account at app.safeguard.sh/register and start scanning, then keep learning with the free Safeguard Academy.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.