The National Institute of Standards and Technology (NIST) continues to struggle with a growing backlog of CVE submissions in the National Vulnerability Database (NVD). Despite efforts to process vulnerabilities at the same rate as before, the number of submissions increased by 32% in 2024, worsening the backlog. The pace of processing is not enough to keep up with the surge, and NIST anticipates more submissions in 2025.
The backlog is impacting the vulnerability management community, as NVD data serves as an essential source of truth for organizations.
The slow processing has created a gap between the reported vulnerabilities and actionable intelligence, hindering efforts to protect systems. Vulnerability data enrichment and triaging continue, but without faster processing, organizations face significant challenges in managing threats.
NIST acknowledged that its current workflows and data systems were designed for lower submission volumes, contributing to the bottlenecks. Outdated formats and manual enrichment procedures exacerbate the delays, making it harder for the institute to clear the backlog efficiently.
While additional staffing efforts have been made, they have not been sufficient to address the growing demand for processing CVE reports.
To combat this issue, NIST is exploring the integration of artificial intelligence and machine learning technologies to automate certain processing tasks. These technological advancements are expected to improve the speed and efficiency of processing submissions, but it remains to be seen if they will be enough to resolve the backlog. As submissions continue to rise, NIST’s ability to keep up with the growing demand will be crucial for maintaining the security of systems nationwide.
Reference:
