NIST may not resolve vulnerability database backlog until early 2025, analysis shows

A leading U.S.-managed database of cybersecurity vulnerabilities has a processing backlog so extensive that, at current rates, it likely won’t be cleared up until early 2025, a new analysis shows.

The National Institute of Standards and Technology’s National Vulnerability Database — a cornerstone repository for researchers who use its contents and measuring tools to assess the dangers of cyber exploits — has been backed up with unanalyzed vulnerabilities since February without any clear explanation.

At current rates, nearly 30,000 vulnerabilities filed into NVD will still be awaiting analysis by the end of 2024, and may not be fully resolved until March of 2025, according to a newly released dashboard from Fortress Information Security that was first shown to Nextgov/FCW.

NIST in late May said it awarded Maryland cybersecurity firm Analygence with a $865,657 task order to help clear the congestion. The agency said it expected to fix the logjam by the end of the fiscal year, or Sept. 30. To do this, it would need to assess some 217 vulnerabilities a day, according to the Fortress tables, which update daily to calculate the estimated completion time as vulnerabilities continue to pile in.

“We’ve observed that the number of vulnerabilities have been going up.” Said Bryan Cowan, a product owner and security researcher at Fortress who’s overseen the dashboard’s development. Since Analygence was brought on to untangle the backlog, marginal improvements have been made to the analysis process, but it’s not clear at this point if that assessment rate will increase, he said.

A month ago, about 223 vulnerabilities were resolved, the dashboard shows. This month, that number has increased to 332, indicating the agency is making slight improvements in its ability to pore through the filings.

The dashboard does not sort by vulnerability severity, though Cowan said this feature may be added later.

"We are back to processing incoming CVEs, as we said we would be in our May 29 statement. Also as mentioned in that statement, we are planning to address the backlog in coordination with CISA. That effort has not yet been fully implemented," a NIST spokesperson told Nextgov/FCW, adding that the NVD Dashboard provides transparent, up-to-date performance statistics, and the agency will update the community about when it expects to clear the backlog as it learns more. 

Security researchers have often made use of the database’s severity score feature, which measures the acute effects of a vulnerability if a hacker takes advantage of it. Its contents have also been used to train machine learning models that can predict whether a software product contains a yet-to-be discovered vulnerability.

The agency is notably set to take an 8% budget cut under the agency’s budget request for next year while being tasked to work on critical emerging tech and national security research.

Editor's note: This article has been updated to include comments from NIST.