NIST Blames 'Growing Backlog of Vulnerabilities' Requiring Analysis on Lack of Support
It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources. But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in - of which 24 have been analyzed.] Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well." NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..." A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding. The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow." Thanks to Slashdot reader spatwei for sharing the article.
Read more of this story at Slashdot.