NIST’s vulnerability database logjam is still growing despite attempts to clear it

Despite goals set last year by the National Institute of Standards and Technology to process a backlog of unanalyzed cybersecurity vulnerabilities, the agency said it’s not expecting a slowdown anytime soon.

The National Vulnerability Database — NIST’s cornerstone repository for researchers who use its contents and measuring tools to assess the dangers of cyber exploits — has been backed up with unanalyzed vulnerabilities since February last year. The scientific standards agency was projected to clear the logjam this month based on rates observed this past summer, Nextgov/FCW previously reported.

But NIST said Wednesday that vulnerability submissions increased 32% in 2024 and prior processing rates from spring and early summer last year are no longer sufficient to keep up with incoming submissions. The backlog is still growing as a result.

“We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead,” an agency spokesperson said. “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks.”

When NIST receives a vulnerability, it remains “unenriched” until analysts can thoroughly study it to assess how security teams would be able to remediate it or avoid it altogether. Depending on a submitted vulnerability’s severity, it can take significant time to enrich.

“They’ve gotten better by over 100% but the bad news is that their workload has been increasing,” said Bryan Cowan, a product owner and security researcher at Fortress Information Security who has been tracking NIST’s rate of vulnerability enrichments.

NIST last May said it awarded Maryland cybersecurity firm Analygence with a nearly $870,000 task order to help clear the congestion.

“They were doing training, getting more resources to help out, and you can clearly see the difference there. I think for them, it just seems like they're getting slammed,” Cowan said.

A Fortress dashboard tracking enrichment rates shows that NIST has been increasing the rate of vulnerability analysis but that, between February and March, it received a greater number of submissions to process. Just this week, it received close to 340, according to data viewed at the time of publishing.

Security researchers make frequent use of the database’s severity score feature, which measures the acute effects of a vulnerability if a hacker takes advantage of it. Its contents have also been used to train models that can predict whether a software product contains a yet-to-be discovered vulnerability.

“For us, it’s just a realization that this is kind of the new normal, unfortunately,” Cowan added. “If you’re going to tackle the backlog, you’re gonna have to go higher than [current rates]. So it’s one of those things where looking at the crystal ball the way things are now, I don’t know that we’ll ever get to there being zero in the backlog.”