NIST Limits CVE Enrichment After 263% Surge In Vulnerability Submissions

NIST is narrowing how it handles CVEs in the National Vulnerability Database (NVD), saying it will only automatically enrich higher-priority vulnerabilities. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it said. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don't expect this trend to let up anytime soon." The Hacker News reports: The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows:
- CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
- CVEs for software used within the federal government.
- CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access.

Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. [...]

Changes have also been instituted for various other aspects of the NVD operations. These include:
- NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score.
- A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.
- All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog.
- NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time.

In "normal person speak"

[Anonymous Coward]

What does it mean to "enrich" a CVE?

Re:

[martin-boundary]

The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. This list allows interested parties to acquire the details of vulnerabilities by referring to a unique identifier known as the CVE ID.

(by clicking the link)

Re:

[Anonymous Coward]

now explain how the term "enrich" applies to a CVE

Re: In "normal person speak"

[JoeRobe]

There are a lot of technical topics on /. I don't understand, but the point here is that they use an abbreviation like 20 times in a summary without ever defining it. If you use an abbreviation in technical writing (including a summary), you should define it the first time you use it. There may be some very common abbreviations that don't require defining, but this is not one of them.

Re:

[geekmux]

There are a lot of technical topics on /. I don't understand, but the point here is that they use an abbreviation like 20 times in a summary without ever defining it. If you use an abbreviation in technical writing (including a summary), you should define it the first time you use it. There may be some very common abbreviations that don't require defining, but this is not one of them.

I do understand your point, but there is also the grammatical concept of knowing your audience.

CVEs, have been around since last century. How long before you figure a Common Vulnerability list on a planet run by computers riddled with bugs, is Common enough for Nerds? The irony smacks in the acronym. Hard.

Re:

[twdorris]

There may be some very common abbreviations that don't require defining, but this is not one of them.

Are you talking about CVE? Looking back it seems like it but if so, you might be on the wrong forum here. For reference, they did define these terms.

National Vulnerability Database (NVD)
Cybersecurity and Infrastructure Security Agency's (CISA)
Known Exploited Vulnerabilities (KEV)

Which I think is fair. But they didn't bother with NIST (I assume you did know that one) or CVE cause, I dunno, they're pretty damn common place...certainly on this site. There's a point where you can assume people in your audie

Re:

[Anonymous Coward]

Are you talking about CVE?

No. The first post was asking about the term "enrich". Not for a definition of CVE.

Re:

[tlhIngan]

now explain how the term "enrich" applies to a CVE

It's basically parsing the CVE and adding more details. A CVE is basically like a bug report, often you'll get basic information. Enrichment is the process of fleshing out more details that were omitted because they weren't required, but adding information to make the bug more easily tracked for statistical and tracking information.

Enrichment by NIST is basically looking over the bugs and assigning the vulnerability IDs to them - there's a catalog of vulnera

Re:In "normal person speak"

[thehossman]

In the slashdot post, the words automatically enrich [nist.gov] are a hyperlink that point to a guide from NIST explaining the overall CVE process. It has a very prominent section that explains exactly what "enrichment" has historically done for CVE's once they are in the NVD...

The following is a general overview of the enrichment process for a given CVE:

1. Enrichment efforts begin with reviewing any reference material provided with the CVE record and assigns appropriate reference tags. This helps organize the various data sources to help researchers find the relevant information for their needs. Enrichment efforts also include manual searches of the internet to ensure that any other available and relevant information is used for the enrichment process. NVD enrichment efforts only use publicly available materials in the enrichment process.
2. A common weakness enumeration (CWE) identifier is assigned that categorizes the vulnerability. NVD enrichment efforts use a subset [slashdot.org] of the full list of CWEs that best represents the distribution of specific types of vulnerabilities. This subset is known as the CWE-1003 view and was created through coordination with the MITRE CWE team.
3. CVSS V3.1 exploitability and impact metrics are assigned based on publicly available information and the guidelines of the specification if a CVSS score has not already been assigned. If an existing score is noticed to not be supported by CVSS guidelines or publicly available information while performing other enrichment activities, an enrichment team member may choose to provide a score. Users of NVD data may also request the NVD to provide a score.
4. A Common Platform Enumeration (CPE) Applicability Statement is associated with the vulnerability. The CPE match criteria are generated to identify potentially vulnerable software and/or hardware for the vulnerability. For example, an application may have several versions affected or must be running on a specific operating system to be vulnerable. Automated processes can reference match criteria within the applicability statements against the CPE dictionary to assist in identifying vulnerable products within an organizationâ(TM)s information system. Every effort is made to identify all vulnerable software, but gaps may exist and feedback is encouraged to improve this information.
5. Enrichment effort results are given a quality assurance check by another experienced team member prior to being published to the website and data feeds.

What?

[Agnapot]

So, what is a "CVE"? It's used an awful lot in the summary for never explaining what is or what it stands for...

Re:

[rossdee]

I thought a CVE was an "escort Carrier" They were used a lot in WWII. They couldn't carry as many planes as a full size attack carrier (CVA), but were a lot cheaper and faster to build. after WWII they were essentially obsolete since you needed a full size carrier (with catapults) to handle jets.

Re:

[unixisc]

Common Vulnerabilities & Exposures, for anybody in the Cybersecurity space

LSMFT

[groobly]

More acrimony about acronyms.