We’ve heard concerns about National Institute of Standards and Technology (NIST) NVD’s announcement this week clarifying their focus will now be much more limited moving forward.
Starting on April 15, 2026, NIST will prioritize the following CVEs for enrichment:
- CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- CVEs for software used within the US federal government
- CVEs for critical software as defined by Executive Order 14028
What this means is that there will be a significant volume of CVEs that will not be enriched by NIST. This news comes after over 2-years of degradation in the NIST NVD enrichment services that started in 2024 after a reduction in funding.
While we appreciate NIST’s transparency for communicating how they will be prioritizing and resourcing enrichment moving forward, this will continue to exacerbate the data gap that NIST NVD has left across CVE records impacting CPE, CWE and CVSS coverage over the past 2-years, which creates negative security outcomes for organizations in the United States and globally
In response to NIST NVD’s resource constraints in 2024, VulnCheck launched NVD++ on March 13, 2024, a free Community-accessible service providing:
- Timely access to NIST NVD data (no 503 Service Unavailables)
- NIST NVD 1.0 compliant downloads (no longer supported by NIST)
- Substantially expanded CPE coverage
Additionally, VulnCheck’s Exploit & Vulnerability Intelligence commercially-available product, already provides broad coverage for CVSS, CVSS-BT, & CPE lookup. One of the measures we took proactively in the past was to add CVSS scores from several vendor advisories to provide near complete coverage in our commercial offering.
1000’s of organizations have already adopted VulnCheck NVD++ since we have launched the service in addition to our other community offerings including VulnCheck KEV, VulnCheck XDB, and Report a Vulnerability Service.
Anyone can access VulnCheck NVD++ as part of VulnCheck Community for free today at: https://www.vulncheck.com/nvd2
VulnCheck continues to outperform NIST NVD CPE enrichment in both volume of CVEs and speed. This chart provides VulnCheck CPE generation vs. NIST NVD over the past year. We remain committed to continuing to expand coverage.
VulnCheck will expand our NVD++ community and commercial enrichments over the next month to add CVSS scores to CVE records to provide timely and near complete CVSS coverage.
VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge – we’re working to help equip any product manager, CSIRT/PSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.
We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.
Are you interested in learning more? If so, VulnCheck’s Exploit & Vulnerability Intelligence has broad threat actor coverage. Register and demo our data today.
