Blog May 16, 2024

National Vulnerability Database (NVD) leaves thousands of vulnerabilities without analysis data

by Serkan Ozkan, Distinguished Engineer, R&D
by Serkan Ozkan, Distinguished Engineer, R&D

The Common Vulnerabilities and Exposures (CVE) List and National Vulnerability Database (NVD) can no longer be considered a single central source of vulnerability truth.

 

The cybersecurity world is no doubt aware that the National Vulnerability Database (NVD) has been experiencing issues over the last three months

Up until recently, the National Vulnerability Database (NVD) was the world’s most widely used vulnerability data source, and the industry’s go-to destination for reliable and consistent CVE data. But since January, users noticed that it had not been providing the same level of detail for most CVEs, and failing to do manual analysis for most CVEs as well. Then suddenly last week, NVD stopped providing CVE data altogether. Rumors circulated about the site disappearing completely (had it lost its funding?), but several days later, NVD appeared once again, explaining that a system/software update caused it to go offline. 

Though NVD appears to be working again (for now), it is still not providing CVE analysis data (i.e affected CPE information), which is vital for everyone’s ability to easily determine if a version is vulnerable or not. Sometimes consuming CVE data is hard, with vague descriptions and minimal information that means nothing at first sight. Reviewing a CVE might turn into an hours-long journey between reference urls, vendor advisories, and click-bait sites returned by Google search.

 

What’s the alternative to NVD?

SecurityScorecard’s vulnerability intelligence service, CVEdetails.com, provides CVE data with affected CPE information for most CVEs. We also provide automated and manual analysis and offer coverage for most products. 

The CVE data provided by CVEdetails.com can be viewed anonymously using the website, for free and without a subscription. Subscribers to the service also have access to other data types besides CVEs, such as advisories and integration options like APIs, RSS feeds, and email alerts. 

Another exciting function is an API that returns CVE data in NVD format — even if the CVE is not available from NVD — to allow users to migrate from NVD to CVEdetails.com with minimal effort. 

 

SecurityScorecard manually reviews CVEs affecting:

  • Enterprise software
  • Well-known software and libraries including, but not limited to, operating systems, programming languages, and open source software
  • Products from major vendors

 

To help users cut through the noise, SecurityScorecard does not manually review CVEs affecting:

  • Most wordpress plugins
  • Projects hosted at SourceCodester, Campcodes, etc
  • Github projects with a small number of users
  • Some hardware devices like wifi routers with many different versions and variations

 

“Even if NVD is not available, we’ve got you covered.”

 

CVEdetails is constantly being refined, and our team will also be adding new and improved filtering options to help users avoid noise and focus on issues that matter. The bottom line is that even if NVD is not available, we’ve got you covered.

In the meantime, please feel free to reach out if you have any questions, or if you would like to schedule a demo to explore CVEDetails.com.

 

Visit CVEDetails.com to learn more

Go to CVEDetails