NIST announced it will limit enrichment of CVE records to vulnerabilities that meet new prioritization criteria after an exponential surge in submissions made it impossible to document every report. Going forward, NIST will enrich only CVEs listed in CISA’s catalog of exploited vulnerabilities, those affecting federal or critical products, and will rely on submitter-provided severity scores while moving older backlogged CVEs to a “Not Scheduled” status as it builds automated workflows. #NIST #CVE
Keypoints
- CVEs submissions have surged exponentially, outpacing NIST’s capacity to enrich every record.
- NIST will only enrich CVEs in CISA’s exploited-vulnerabilities catalog, federal products, or software deemed critical.
- Backlogged CVEs with NVD publish dates before March 1, 2026 will be moved into a “Not Scheduled” category.
- NIST will stop providing its own severity score for all CVEs and will instead rely on submitter-provided scores.
- Staffing and funding shortfalls, plus an AI-driven increase in submissions and concerns about automated exploit discovery, prompted the policy change.
Read More: https://therecord.media/nist-to-limit-work-on-cve-entries-surge