RSAC: CISA Launches Vulnrichment Program to Address NVD Challenges

Written by

Read more about the NVD backlog of vulnerability analysis:

The US Cybersecurity and Infrastructure Security Agency (CISA) announced on May 8 that it was starting a new software vulnerability enrichment program called ‘Vulnrichment.’

This comes almost three months after the National Vulnerability Database (NVD), the world’s most comprehensive vulnerability database and operated by the US National Institute of Standards and Technology (NIST), started facing challenges in vulnerability enrichment.

According to its own data, NIST has analyzed only 4523 of the 14,228 common vulnerabilities and exposures (CVEs) received so far this year.

Decoding CISA’s ‘Vulnrichment’ Effort

CISA’s ‘Vulnrichment’ program will focus on adding metadata to CVEs, including Common Platform Enumeration (CPE) numbers, Common Vulnerability Scoring System (CVSS) scores, Common Weakness Enumeration (CWE) nametags, and Known Exploited Vulnerabilities (KEV) entries.

This metadata “is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability,” said CISA in a social media post.

CISA said it recently enriched 1300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched.

The Agency has asked all CVE Numbering Authorities (CNAs) to provide complete CVEs when making their initial submission to CVE.org.

“Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes,” the agency added.

CISA Fills the Gap Left by NIST’s NVD

Speaking to Infosecurity during the RSA Conference 2024, Patrick Garrity, a security researcher at software security firm VulnCheck, praised CISA’s initiative.

“NIST has continued to over-promise and under-deliver, leaving the security community unsure about the future of the NVD,” Garrity said.

“It’s great to see CISA stepping up to fill the CVE enrichment gap that the NIST NVD has neglected to address. It will take a collaborative effort across CVE.org CNAs, software suppliers, government agencies, and the private sector to fill the gap NVD continues to leave behind,” he said.

Chris Hughes, founder of Aquia and former CISA fellow, told Infosecurity that the ‘Vulnrichment’ program was “an excellent resource for CISA to share with the community.”

He continued: “As we know, the NVD has significantly slowed its vulnerability/CVE enrichment, leaving the community struggling to properly contextualize and prioritize vulnerabilities. By CISA providing this information, over 1,000 vulnerabilities now have additional context and can be properly prioritized by organizations.

“Additionally, their willingness to share the SSVC provides insight into CISA's internal use of SSVC as a vulnerability scoring and prioritization scheme, which will help organizations understand how to practically leverage SSVC themselves for other vulnerabilities and internal vulnerability management programs.”

Immanuel Chavoya, CEO and Founder of RiskHorizon.ai said the Vulnrichment initiative is a pivotal step in the right direction.

However, he warned true resilience lies in preemptive enrichment of all CVEs before exploitation occurs.

“Waiting for indicators of exploitation to populate CVEs still introduces delays downstream,” Chavoya said.  

CISA’s ‘Vulnrichment’ initiative can be found in a dedicated GitHub repository.

The US agency also encouraged software security professionals to contact the agency at the following email address: vulnrichment@cisa.dhs.gov.

Read more: Navigating the Vulnerability Maze: Understanding CVE, CWE, and CVSS

What’s hot on Infosecurity Magazine?