NIST's Strategic Shift in CVE Enrichment Policy

The US National Institute of Standards and Technology (NIST) has announced a pivotal change in its approach to managing the US National Vulnerability Database (NVD). Due to budget constraints and an overwhelming number of vulnerabilities, NIST will now focus on enriching only the most critical security flaws. These include vulnerabilities actively exploited, those in software used by US federal agencies, and those classified as 'critical software'. This decision comes after NIST struggled to keep up with an explosion of bug discoveries, exacerbated by recent budget cuts.

This strategic shift is seen as a necessary move, despite being unpopular with vulnerability management companies that rely on NVD data for their tools. With NIST no longer providing comprehensive enrichment, these companies must seek alternative data sources or enrich the data themselves. The cybersecurity industry anticipated this shift, as NIST had previously hinted at rethinking its role in vulnerability analysis.

Additionally, NIST will cease providing its own CVSS severity scores, instead displaying those assigned by the organizations that issue CVEs. This change raises concerns about potential conflicts of interest, as some organizations may downplay the severity of their own software vulnerabilities.

The announcement coincides with the anticipated rise in CVE numbers due to AI-driven vulnerability discovery tools. NIST's new policy, effective April 15, aims to prioritize significant vulnerabilities, acknowledging that keeping up with all CVEs is unfeasible.

In related cybersecurity news, Russian hackers have targeted various entities, including a Swedish thermal plant and Ukrainian prosecutors. Meanwhile, the cryptocurrency exchange Grinex has shut down following a significant hack, and Zerion has attributed a recent theft to North Korean hackers.

On the tech front, OpenAI has launched a private cybersecurity model, and Anthropic has introduced identity verification for certain users. The EU has also released an age verification app to comply with new digital regulations.

In the infosec industry, several new tools have been released, including Google's web development framework Jaspr and Cleafy's Malfixer for Android APKs. These developments reflect ongoing efforts to enhance cybersecurity measures and adapt to the evolving threat landscape.