Plan to resuscitate beleaguered vulnerability database draws criticism
The federal official in charge of a crucial vulnerability database that has recently gone mostly dark said Wednesday that she hoped the formation of a consortium would improve the repository, a move that some experts immediately criticized as too slow to address an urgent problem.
In mid-February, the National Institute of Standards and Technology stopped providing key metadata for many vulnerabilities in its National Vulnerability Database, which cybersecurity professionals describe as a critical tool for computer security functions globally and whose absence could result in dangerous vulnerabilities going unfixed.
Tanya Brewer, who manages the National Vulnerability Database program, said at a conference on Wednesday that a notice forthcoming in the Federal Register in the next two weeks will announce the process for forming an outside consortium to help improve the database.
Compared to other resources of its kind, “NVD is not the best database,” Brewer said. If it was, “I would not be putting together a consortium asking industry to help make it better,” she said at VulnCon in Raleigh, N.C. “There’s a lot of room for the NVD to improve, and I think we have the capability to be a much better database than we are.”
Planned improvements in the next one to five years include offering customizable alerts and new data types, as well as developing a way to partially automate analysis of Common Vulnerability and Exposures or CVEs, a glossary of vulnerabilities, Brewer said.
Brewer did not offer a detailed explanation about what led to the reduced activity on the database, chalking it up to a long story that amounts to “administrivia,” a growing volume of data submitted to the database and budget cuts affecting her agency.
Since early 2020, email traffic related to the database has tripled while staff size has remained flat, never rising above 21 people at any point, Brewer said. The program isn’t equipped to receive massive amounts of data either, she said, such as “Common Platform Enumerations” or CPEs — a naming scheme for software products.
“One of my short-term goals for the consortium I’m standing up is to build a system that will let manufacturers give us just big dumps of CPE data,” she said. Now, if someone offers to give the program 74,000 CVEs, the answer would be, “‘Oh please don’t,’” Brewer said. “But in a year’s time, I want the answer to be, ‘Yes, please.”
Until the formation of the consortium, the NVD program office is reallocating personnel and working with other agencies toward “fixing the current problem,” she said. In the meantime, she said the office is still “taking care of priority things,” such as responding to vulnerabilities on a Cybersecurity and Infrastructure Security Agency so-called “must patch” list or Microsoft’s Patch Tuesdays.
Cybersecurity professionals have been pushing for NVD to resume its normal operations in recent months. A recent open letter to Secretary of Commerce Gina Raimondo and members of Congress that was signed by two dozen security professionals called on the U.S. government “to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation.”
Dan Lorenc, the co-founder and CEO of Chainguard who helped organize the letter, said Brewer’s proposal to form a consortium was insufficient.
“While I appreciate hearing directly from NIST regarding the situation involving NVD, the comments do not inspire confidence in a timely resolution,” he said.
A consortium isn’t the answer, he said, because “adding layers of governance and bureaucracy can slow things down, which does not instill confidence. While I believe there’s room for industry to collaborate with NIST, I believe that a single entity should clearly own and operate NVD, especially given its critical role as a source of truth for the federal government.”
Jerry Gamblin, a principal engineer at Cisco Threat Detection & Response, said he was hopeful about the consortium making a difference.
“They weren’t able to analyze all CVEs before the slowdown, so I hope the consortium can help them get to 100% coverage,” he said via email. “We don’t have new data we can share, but what we are seeing essentially maps to public reporting about the number of CVEs left unanalyzed. We understand that NIST is aware of the problem and the concerns — and is working diligently to modernize NVD.”
A consortium could be another six to nine months away from forming, though, said Tom Alrich, who leads the OWASP SBOM Forum project. That’s “not exactly a solution to the problem,” he said. While Alrich said he was sympathetic to the program’s difficult situation, he was frustrated about the lack of specificity about what had caused the problem in the first place.