Finite State’s Response and Collaboration in Light of the NVD Slowdown

The National Vulnerability Database (NVD) has long been a fundamental resource for the cybersecurity industry, cataloging and analyzing Common Vulnerabilities and Exposures (CVEs) that practitioners and vendors rely on to track, assess, and respond to potential threats, ensuring the security of their systems and data. The current lag in the NVD's analysis leaves us all vulnerable, as delayed vulnerability identification and response increase the risk of exploitation by malicious actors, potentially leading to significant security incidents and widespread harm. This situation presents an opportunity to drive collaboration and innovation within the cybersecurity community, fostering the development of automated solutions and shared resources to enhance our collective defense mechanisms.

In February, NVD analysis drastically slowed and has been operating at around 10% of its previous pace. Every day, between 50 and 200 new vulnerabilities are filed, and there is now a sizable backlog of unanalyzed CVEs. This results in a large body of potentially dangerous vulnerabilities that don’t have risk scores or identifiers attached to them, leaving cybersecurity teams blind to potential attacks.

The pause in updates has been alarming, effectively leading to a near stoppage in:

• New associations between products and CVEs
• Assignments of CVSS scores, which reflect severity and inform prioritization
• CWE assignments, which drive mitigations of systemic weaknesses
• Reference associations, which guide research and remediation 

The size of the backlog is now around 13,000 vulnerabilities and growing every day. Recent analysis efforts show that over 90% of vulnerabilities logged in 2024 have not been analyzed. In late May, the NVD announced that a new contractor has been hired to help clear the vulnerability backlog, but we can expect that it will take several months to get caught up. The entire cybersecurity industry is grappling with this situation, and we at Finite State have been watching and working with our industry peers and partners to improve the quality and performance of our vulnerability data to help fill the gap.

Industry Response

On February 15, NIST announced a temporary delay in the NVD's analysis efforts due to the formation of a consortium, with the stated aim of overcoming current challenges and enhancing the database's tools and methods. The notification was vague and the cybersecurity community was left without clarity on what this means for the data and guidance that we have all relied on the NVD for since 2005.

Other announcements followed - Vulncheck has announced a community-led repository to add additional vulnerability data, the industry is urging the use of alternative vulnerability databases like Google’s OSV, and the CNAs (CVE Naming Authorities) are continuing to publish high quality data for the vulnerabilities they are authoring.

CISA has also stepped in, announcing at this year’s RSA Conference that they are producing a new Vulnrichment feed that includes CPEs used to link vulnerabilities with software components, and CVE and CISA announced a new “ADP” working relationship this week.

What Finite State Is Doing

To address the challenges posed by the NVD slowdown, Finite State has implemented advanced strategies to ensure our customers have access to the most accurate and comprehensive vulnerability data. 

"At Finite State, we remain steadfast in our commitment to advancing the cybersecurity industry and supporting our customers," said Matt Wyckhouse, our Founder and CEO. "We are actively participating in industry working groups and collaborating with key stakeholders to address the challenges posed by the NVD backlog. Our ongoing efforts aim to drive innovation, enhance vulnerability intelligence, and ensure that our clients have access to the most reliable and up-to-date security data available, all while prioritizing the protection of critical infrastructure that is essential to our national security and daily lives."

Our approach focuses on enhancing automated CPE generation, leveraging extensive vulnerability intelligence, maintaining continuous monitoring, and fostering collaborative efforts to keep cybersecurity defenses robust and up to date. 

Leveraging Automated CPE Generation

CPEs and PURLs are the links between vulnerabilities and affected software components or packages. The current lack of CPEs has been a serious gap for our customers and the cybersecurity industry at large. To fill the gap, Finite State will be pulling in additional CPE sources, including CISA’s new Vulnrichment feed, CNA-created CPEs, and VulnCheck’s enriched CPEs. We’ll also continue to use PURLs as additional software-matching capabilities for our package-based detections. 

Vulnerability Intelligence

At Finite State, we leverage an extensive, continuously-updated database of software security data from multiple sources to enhance our vulnerability intelligence capabilities. Finite State pulls in over 200 vulnerability sources, including the Chinese NVD and GitHub Security Advisories, which helps cover the gap left by the NVD backlog. We’ve also begun incorporating both the CISA KEV catalog flags and the extended VulnCheck KEV catalog to help cybersecurity teams better understand and respond to risks.

Continuous Monitoring and CPE Updates

The Finite State Platform offers all customers a daily update of any detected new CVEs that might match existing software components. This ensures that our customer’s vulnerability data remains current and comprehensive, providing organizations with the information they need to maintain robust cybersecurity defenses.

Collaborative Efforts

Collaboration with industry stakeholders is a cornerstone of our approach. We partner with various organizations to enhance data quality and coverage. By leveraging new data sources, including updates for CNA-authored CVEs and the new CISA Vulnrichment feed, we broaden our data pool and refine our PURL- and CPE-matching logic to ensure the highest confidence matches and reduce false positives.

For those interested in actively following and participating in addressing the NVD issue, several resources and communities are available:

CISA’s new Vulnrichment feed is available on GitHub and anyone interested can open issues if they see problems with the data or have trouble with using the data. CVE has many working groups that welcome new members and are at the forefront of finding solutions to these larger problems. VulnCheck has also created a public community and has resources for extended vulnerability data. Organizations like OWASP and ISACs (Information Sharing and Analysis Centers) foster collaboration and information sharing among cybersecurity professionals.

The ongoing slowdown at the NVD has been a catalyst for collaboration, innovation and automation in the industry. Finite State is at the forefront of this shift, dedicated to advancing cybersecurity and supporting our customers by offering innovative solutions that leverage automation for CPE generation and real-time vulnerability intelligence. 

We collaborate with industry groups and stakeholders, addressing the NVD backlog, innovating in vulnerability intelligence, and providing reliable, up-to-date security data to ensure the protection of critical infrastructure. Our approach ensures that organizations can stay ahead of vulnerabilities, reducing reliance on manual processes and enhancing overall security posture. This forcing function for innovation underscores the importance of adopting automated, collaborative strategies to maintain robust cybersecurity defenses in an increasingly complex threat landscape.