Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government United States

NIST Blames 'Growing Backlog of Vulnerabilities' Requiring Analysis on Lack of Support (infosecurity-magazine.com) 22

It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.

But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]

Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."

A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.

The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."

Thanks to Slashdot reader spatwei for sharing the article.
This discussion has been archived. No new comments can be posted.

NIST Blames 'Growing Backlog of Vulnerabilities' Requiring Analysis on Lack of Support

Comments Filter:
  • by wierd_w ( 1375923 ) on Monday April 08, 2024 @01:55AM (#64377510)

    (GOP Talking Head)

    But But But--
    WHY SHOULD TAXPAYERS FOOT THE BILL FOR THIS!?

    (looks in mirror-- the reflection screams back)

    YOU CANT POSSIBLY EXPECT **JOB CREATORS** TO FOOT THIS EXPENSE! THINK OF THE ECONOMY!!
    ---
    (The shadow on the wall chips in)

    IT WAS CLEARLY IMMIGRANTS!
    ---
    (Mirror reflection screams at the shadow)

    WE CANT FIND QUALIFIED APPLICANTS!!
    --
    (Talking head)

    Please! You're all giving me a ME-ACHE!
    It's CLEARLY a case of LAZY WORKERS that JUST NEED TO WORK HARDER!
    --

    (All three in unison)

    HURRAY! 20% CUT!!

    • It's obviously gubbermint over-reach. I don't know what that means but I've heard other populist politicians say it & it sounds good to me.
    • I'm sure the three-letter agencies are more than willing to analyse these vulnerabilities - it's undoubtedly already done and fully funded. Oh you want them to share the results of the analysis? hmmmmm
      • If they want secure software they better share the findings with the developers
        • But, if they DISCLOSE those OH SO USEFUL vulnerabilities, then those will become USELESS!!

          How will we keep AMERICA NUMBER ONE if we sabotage our own advantage in espionage!?

          We KEEP ON INSISTING that we *NEED* to install backdoors in these software stacks AT THE FACTORY, but we KEEP GETTING TOLD NO!!

          **ITS SO UNFAIR!!** /s

      • by gtall ( 79522 )

        Sharing the three-letter agencies' information also reveals to the Russians, the Chinese, the Iranians, and the Norks the three-letter agencies' capabilities. Now they could share with NIST but that too gets sticky as NIST isn't really set up to handle those kinds of security.

        NIST's problems are the result of not adequately funding the internal operations of the government as opposed to things like SS, Medicare, Medicaid. The R's don't give a flying rat's ass about the government operations (deep state and

      • I'm sure the three-letter agencies are more than willing to analyse these vulnerabilities - it's undoubtedly already done and fully funded. Oh you want them to declassify the fact that they created the vulnerability? hmmmmm

        FTFY, in case you were still wondering about what’s holding up all that “agency cooperation and interoperability”. Sometimes we forget where we get the really good shit from.

    • by whitroth ( 9367 )

      10 points! Great job.

  • Well that would.... (Score:5, Interesting)

    by codebase7 ( 9682010 ) on Monday April 08, 2024 @02:27AM (#64377566)
    Well, that would explain how the We don't know how file system permissions work "vulnerability" [nist.gov] got through. I guess my guess of the cause [slashdot.org] held out then....
  • The Linux Kernel project became a "CVE Numbering Authority" in the middle of February and since then has issued 691 CVEs.

    See this Slashdot article [slashdot.org] in which I am quoted as "worrying this could overwhelm the CVE infrastructure".

    • by serafean ( 4896143 ) on Monday April 08, 2024 @03:23AM (#64377618)

      That's kind of the point of it. Kernel devs have no idea if in your specific usecase they haven't thought about that bug can become an exploitable vulnerability.
      The old "a bug is a bug is a bug" wasn't making security people happy, so now they're treating almost every bug as a potential security issue.
      Pick your poison, and keep your kernel up to date...

    • The Reporting Bug. (Score:5, Insightful)

      by geekmux ( 1040042 ) on Monday April 08, 2024 @04:52AM (#64377670)

      The Linux Kernel project became a "CVE Numbering Authority" in the middle of February and since then has issued 691 CVEs.

      See this Slashdot article [slashdot.org] in which I am quoted as "worrying this could overwhelm the CVE infrastructure".

      Fair point, but that was either the main cause of this backlog, or it wasn’t. A 12% budget cut either had an impact, or it did not. Which is it? Should be simple to validate with a bit of historical content. How many CVEs went days, weeks, or months without analysis a year ago? Three budgets ago?

      It’s sad we’re compelled to ask historical questions to validate every claim today, but it’s quite necessary to determine how much bullshit clickbait may comprise any given article. Anyone will say anything for clicks these days. Part of the “bug” of reporting.

      • Comment removed based on user account deletion
      • Fair point, but that was either the main cause of this backlog, or it wasn’t. A 12% budget cut either had an impact, or it did not. Which is it?

        It could be both. There could be other factors as well.

  • Time out, it kinda got ahead of us, everyone needs a break. Just unplug the whole internet and let NIST catch up. It's not safe to be connected without a current CVE database.

  • by Bruce66423 ( 1678196 ) on Monday April 08, 2024 @06:54AM (#64377800)

    This is important work, but the idea that the US taxpayer should be the only people paying for it is not reasonable; other countries should be making financial contributions, as should the big tech companies.

  • Great work guys.. patch every single vulnerability so our corporate overlords can have total control over us. Eff the ICE.
  • by jmccue ( 834797 ) on Monday April 08, 2024 @07:49AM (#64377896) Homepage

    NIST, which had its budget cut by almost 12% this year by lawmakers

    Who would have thought that cutting budgets would reduce services ? Welcome to the US Gov, the GOP wants to cut everything except for agencies that kill people. NIST, enjoy the land of the FDA, FTC, CDC, Social Programs .... (I could go on).

The debate rages on: Is PL/I Bachtrian or Dromedary?

Working...