The National Institute of Standards and Technology (NIST) said it has awarded a new contract to a third party to help the federal government process software and hardware bugs added to the National Vulnerability Database (NVD).
Government officials, experts, and defenders have raised alarms about the backlog of new vulnerabilities that have not been analyzed or enriched since the agency announced cutbacks in February. Now, the third party will provide additional processing support for incoming CVE that will be added to the NVD.
As per the NVD statement, We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months. The agency is working with the Cybersecurity and Infrastructure Agency on adding unprocessed CVEs to the database. This backlog will be cleared by the end of the fiscal year.
NVD staff has the number stands — at 21 people — while the number of vulnerabilities submitted continues to grow. Researchers from VulnCheck analyzed the NVD’s activity since it announced cutbacks on February 12 and found that of the 12,720 new vulnerabilities added since then, 11,885 “have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability.”
