What is the National Vulnerability Database (NVD)?

Overview:

All software products and intelligent devices either have vulnerabilities today or will have them in the not-too-distant future. There will probably never be a truly vulnerability-free software product. This is why software users and software developers need to focus on vulnerability management, not vulnerability elimination. 

The most important tool for vulnerability management is a vulnerability database. While there are many vulnerability databases worldwide, by far the most widely used today is the US National Vulnerability Database. This database is operated by the National Institute of Standards and Technology (NIST), which is part of the Department of Commerce.

The main purpose of a vulnerability database is to allow users of software products to learn about vulnerabilities that have been identified in those products. The NVD achieves this purpose by downloading new CVE Records that have been created by the CVE Program. The records must include a CVE number for the vulnerability (e.g., CVE-2025-12345), a description of the vulnerability, and a description of one or more products that are affected by the vulnerability.

What should also be included in the record - but which today is not included in about half of new CVE Records - is a machine-readable identifier (called a “CPE number”) for each product and version described as “affected” in the text of the CVE record. If this identifier is not present in the record, the CVE record is effectively invisible to automated searches on the NVD. 

This means that probably half of NVD searches today yield incomplete information, but with no warning that this is likely to be the case. This is a serious problem; what is more serious is that the NVD seems to be unable to fix the problem, despite many promises to do so.

Why you should Attend:

Automated software vulnerability management is only possible if:

• There is a program to identify and catalog vulnerabilities, as well as the software product(s) that are affected by those vulnerabilities
• There are one or more vulnerability databases that enable software users to learn about vulnerabilities that affect the specific software products and intelligent devices that they use. A software user should be able to search using the name and version number of a product they use, and immediately be shown all the vulnerabilities that affect that product and version

The functions in 1) are performed by the CVE Program, currently run with funding from the US Department of Homeland Security (this program is the subject of a separate course in this series, “What is CVE?”). The Program’s primary function is to produce CVE Records that describe newly identified software vulnerabilities, which are identified with a “CVE number” like CVE-2025-12345. Most people involved with vulnerability management think the CVE Program is well run, although it could always be improved.

However, the functions in 2), which are performed by the National Vulnerability Database (NVD), are another story. The NVD downloads new CVE Records from the CVE.org database. Until February 2024, NVD staff members or contractors always quickly assigned a machine readable software identifier to each of the vulnerable software product(s) described in the text of each CVE record that it downloaded. This made it possible for automated searches, that use the name and version number of the vulnerable product, to find the record that ties the vulnerability (CVE) to the product (CPE).

Unfortunately, since February 2024, the NVD has only assigned CPE names to about half of new CVE records; the other records are effectively invisible to automated searches of the NVD. They can be found with a text search, but since there are over 300,000 CVE records in the NVD today, searching through the text of each one of them would take a huge amount of time. The effect of this is that about half of all vulnerabilities that apply to a product won’t appear when the product is searched for in the NVD; moreover, the user receives no warning of this problem.

This, plus other problems with the NVD (such as the fact that its funding could be cancelled at any time), mean there needs to be a replacement for it, not just a fix. However, the replacement clearly shouldn’t be operated by another US government agency. Instead, it should be a truly international effort, funded by private organizations and governments worldwide – but with no single government providing a large share of the funding.

Fortunately, there is already a good precedent for this: the CVE Foundation, which will very likely replace the CVE Program. That international nonprofit has already received enough international pledges to completely take over operation of the CVE Program next spring, when MITRE’s current contract expires (and probably won’t be renewed due to budget pressures). A similar nonprofit organization very likely could create a new database that would fix most of the NVD’s problems – almost all of which are organizational, not technical.

Areas Covered in the Session:

• What a vulnerability database does
• What the National Vulnerability Database does
• Relationship between the NVD and the CVE Program
• Alternative vulnerability identifiers besides CVE
• The CPE software identifier and its “competitor”, purl (“Package URL”)
• Other vulnerability databases
• Problems with CPE. Can they be solved?
• Can the NVD be fixed, or do we need to replace it with a Global Vulnerability Database that wouldn’t be tied to any particular government, but would be funded by both private organizations and governments worldwide?

Who Will Benefit:

• The primary audience is people involved in vulnerability management. In some cases, an organization will have a department or group of people dedicated to vulnerability management; in other cases, the IT or Information Security department will be responsible for vulnerability management.
• Given how important software vulnerabilities are today, almost everyone in the IT and/or cybersecurity departments should be interested in this course. Very few IT people have a good understanding about how vulnerabilities are reported and made available in vulnerability databases.