Voices in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis.
A group of 50 cybersecurity professionals signed an open letter that was sent on April 12 to the US Secretary of Commerce, Gina Raimondo, and several members of the US Congress.
The letter is titled A cybersecurity crisis in waiting: On the Need to Restore and Enhance Operations with the National Vulnerability Database.
In the document, the signatories urge Congress to investigate the ongoing issues with the NVD, help the US National Institute of Standards and Technology (NIST) restore vulnerability enrichment, and support the Institute in the modernization of the NVD program.
NVD Consortium: NIST’s Response to the Vulnerability Backlog
In early March, security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website. The drop had started in mid-February.
While vulnerability entries (known as Common Vulnerabilities and Exposures, or CVEs) continued to be added to the database, many were not fully analyzed.
This meant that crucial metadata about CVEs, such as the corresponding Common Weaknesses and Exposures (CWEs), Common Product Enumerators (CPEs) and criticality scores (CVSS), were not added to the database.
According to its own data, NIST has analyzed only 4398 of the 10,826 CVEs received so far this year.
The issues seem to come from a lack of resources, including funding and human resources.
In late March, NIST launched an industry consortium to support them in running and funding the NVD program in the future.
Prioritize a Short-Term Response
The open letter signatories argued that the priority should be to resolve the current NVD backlog.
Since the NVD is the most comprehensive vulnerability database in the world, many companies rely on it to deploy updates and patches.
If such issues are not resolved quickly, they could significantly impact the security researcher community and organizations worldwide.
The authors suggested that only once this is done should NIST and the NVD Consortium focus on reorganizing the vulnerability disclosures and management processes within the NVD program.
For now, the signatories urge Congress to support NIST in three immediate actions:
- Investigate the ongoing issues with the NVD
- Ensure NIST has the necessary resources to restore operations immediately
- Lay the groundwork for critical improvements to the service
Restoring NVD Operations: Industry Recommendations
To achieve those goals, the signatories suggested several recommendations, including:
- Implement stopgap processes for NVD to act as a passthrough of CVE Numbering Authority (CNA) data without re-scoring or duplicating the work of CVE programs, except in cases of apparent inaccuracies in CNA-provided data.
- Establish a plan, with clear timelines and accountability, to improve NVD processes and operations and open the plan to public and private stakeholder input with a public comment period.
- Investigate NIST's lack of transparency regarding regression in NVD operations from February 15 through March 25.
- Consider the establishment of sustained funding to provide reliable resources for NVD daily operations without conflicts of interest.
- Treat the NVD as critical infrastructure and ensure the NVD program continues running through government shutdowns and other disruptions that would otherwise impede the critical services it provides.
- Keep the NVD independent. While industry collaboration with NIST and the NVD should be encouraged, a single entity should own and operate NVD, given its critical role as a source of truth for the federal government.
The open letter's signatories are individuals working across the security landscape, including tech giants like Google, open-source organizations like OpenSSF, and security vendors such as Chainguard, VulnCheck and Okta.