The National Vulnerability Database (the NVD) appears to be in some sort of hiatus, no longer assigning CVSS information to CVEs. They’ve posted a note:
NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.
If you want to understand what’s happening, hackread says [@joshbressers](https://infosec.exchange/@joshbressers) first drew attention to it, and Josh has a podcast on the episode. Me, I wonder if this has to do with the 12% budget reductions at NIST. Beyond the why, many people are quite concerned, because they’ve been using CVSS scores to reduce the amount of patching work they do, generally under a label like “risk management.” (I prefer to think of it as workload management when you’re letting someone else make “risk” decisions for you. And that’s fine. We do this outsourcing in all parts of life, work and personal.)
Full post:
https://shostack.org/blog/the-nvd-crisis/
#NVD #CVSS #patchmanagement
#riskmanagement
