Hacker News Viewer

Top 20

NIST gives up enriching most CVEs

by mooreds on 4/17/2026, 3:09:14 PM

https://risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/

Comments

by: smsm42

&gt; This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the &quot;reported&quot; software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.<p>It is true but the reverse is also true. It may be very hard for an external body to issue proper scoring and narrative for bugs in thousands of various software packages. Some bugs are easy, like if you get instant root on a Unix system by typing &quot;please give me root&quot;, then it&#x27;s probably a high severity issue. But a lot of bugs are not simple and require a lot of deep product knowledge and understanding of the system to properly grade. The knowledge that is frequently not widely available outside of the organization. And, for example, assigning panic scores to issues that are very niche and theoretical, and do not affect most users at all, may also be counter-productive and lead to massive waste of time and resources.

4/17/2026, 4:02:29 PM

by: tptacek

The NVD was an absolutely wretched source of severity data for vulnerabilities and there is no meaningful impact to vendors&#x2F;submitters supplying their own CVSS scores, other than that it continues the farce of CVSS in a reduced form, which is a missed opportunity.

4/17/2026, 5:00:54 PM

by: j16sdiz

TBH, I don&#x27;t see much enrichment they are giving in last 5 or 6 years.

4/17/2026, 4:21:00 PM

by: rwmj

<a href="https:&#x2F;&#x2F;archive.ph&#x2F;S8ajd" rel="nofollow">https:&#x2F;&#x2F;archive.ph&#x2F;S8ajd</a><p>&quot;Enrichment&quot; apparently is their term for adding information to the CVE database.

4/17/2026, 3:52:40 PM

by: Retr0id

Maybe we should just assign UUIDs

4/17/2026, 4:34:26 PM

by: DeepYogurt

Long overdue to be honest.

4/17/2026, 3:51:47 PM

by: shevy-java

&gt; Going forward, NIST says its staff will only add data—in a process called enrichment—only for important vulnerabilities.<p>Now - I am not saying I disagree with everything here, mind you; I guess everyone may agree that CVEs may range in severity. But then the question also is ... what is the point of an organisation that is cut down to, say, handle 1% of CVEs - and ignore the rest? Why have such an organisation then to begin with?<p>I don&#x27;t have enough data to conclude anything, but from a superficial glance it kind of seems like trying to cut down on standards or efficiency.

4/17/2026, 4:56:05 PM