Sunday, November 24, 2024

NVD Backlog Continues to Grow

The backlog of unanalyzed vulnerabilities at the National Vulnerability Database continues to grow, with new estimates suggesting the backlog could reach nearly 30,000 unanalyzed vulnerabilities by the end of 2024.

The National Vulnerability Database, maintained by the National Institute of Standards and Technology, is the United States’ official repository for common vulnerabilities and exposures. Many scanners, analysts, and vendors depend on the NVD to determine what software has been affected by a vulnerability. When vulnerabilities are not added to the database in a timely manner, it impacts the enterprise defender’s ability to prioritize vulnerabilities that need immediate patching, or to identify issues that affect multiple applications.

NVD currently has a backlog of 16,974 vulnerabilities, and receives, on average, about 111 additional security flaws daily. Data from Fortress Information Security suggests analysts would need to process more than 217 vulnerabilities each day to just clear the backlog and to keep up with the new ones being reported. Currently, NIST is averaging just over 30 new CVEs per day, according to Fortress.

Resource challenges, an increase in the volume of vulnerabilities being disclosed, and other constraints have hampered NIST’s ability to process the vulnerabilities in a timely manner, NIST said earlier this year. The agency announced a partnership with the Cybersecurity and Infrastructure Security Agency as well as a contract with a private cybersecurity company for help clearing the backlog. The aim was to reduce the backlog by Sept. 30, the end of the government’s fiscal year.

According to Fortress, NIST has analyzed just a little over a quarter of new CVEs discovered in 2024. At the current pace, Fortress estimates there will be 29,569 vulnerabilities still awaiting analysis by the end of 2024—and that calculation is based on the assumption that analysts are working seven days a week.

With 155 days left in 2024 (and just 62 days to the end of the fiscal year), NIST would have to significantly increase resources even more available to make a reasonable dent in the backlog.


Related Articles

Latest Articles