NIST to Stop Rating Non-Priority Flaws Due to Volume Increase

The National Institute of Standards and Technology (NIST) has announced it will cease assigning CVSS severity scores to lower-priority vulnerabilities in the National Vulnerability Database (NVD), citing an unsustainable workload driven by rapidly growing CVE submission volumes. The decision represents a significant operational shift for the world's most widely referenced vulnerability database and has immediate implications for organizations that rely on NVD scoring for patch prioritization.

What Is Changing

Under the new policy, NIST will:

• Focus CVSS enrichment exclusively on high-priority vulnerabilities — those with active exploitation indicators, widespread impact, or critical infrastructure relevance
• Defer or skip CVSS scoring for lower-priority CVEs, leaving them in the NVD with minimal metadata
• Maintain CVE descriptions and references for all entries, but reserve the full analysis pipeline for prioritized findings

The change takes effect immediately and will apply retroactively — a backlog of already-published CVEs that have not yet received CVSS scores may remain unscored indefinitely.

Why NVD Capacity Is Under Pressure

The CVE program has seen explosive growth in recent years. Security researchers, automated scanners, bug bounty hunters, and AI-assisted vulnerability discovery tools have dramatically increased the volume of new CVE submissions.

NIST's NVD team, responsible for enriching each CVE with CVSS scores, CWE classifications, CPE applicability data, and references, has not scaled proportionally with this volume. The result is an ever-growing analysis backlog that makes timely scoring for all entries impossible under current resourcing.

This issue is not new — NIST paused routine NVD enrichment in early 2024, citing a need to reassess operational processes, and has been working with government and private-sector partners to address the gap ever since.

Implications for Security Teams

The NVD CVSS score is foundational to many vulnerability management programs. Most commercial vulnerability scanners, SIEM platforms, and patch management tools ingest NVD data and surface CVSS scores to guide remediation prioritization. When scores are absent, these tools may:

• Fail to surface unscored CVEs as actionable items
• Assign default low scores, causing legitimate risks to be deprioritized
• Leave gaps in compliance reporting that requires CVSS-based risk thresholds

Practical Impact for Organizations

Vulnerability Management Programs: Teams using CVSS-only prioritization models will find an increasing number of CVEs with no score, requiring manual triage or reliance on alternative enrichment sources.

Compliance Frameworks: Some frameworks (PCI DSS, FedRAMP, HIPAA guidance documents) reference CVSS thresholds for remediation timelines. Unscored CVEs introduce ambiguity in compliance reporting.

Automated Patching Tools: Tools that trigger on CVSS ≥ 7.0 or CVSS ≥ 9.0 thresholds will not trigger for unscored CVEs, potentially leaving vulnerabilities unpatched.

Alternative Enrichment Sources

Organizations should augment NVD data with additional vulnerability intelligence sources to compensate for the scoring gap:

CISA KEV Remains the Gold Standard for Prioritization

NIST's move underscores the growing importance of the CISA Known Exploited Vulnerabilities (KEV) catalog as the definitive prioritization signal for security teams. KEV entries represent vulnerabilities with confirmed active exploitation — regardless of CVSS score — and carry mandatory remediation deadlines for federal agencies.

Security teams operating risk-based vulnerability management programs should treat CISA KEV status as a higher-priority signal than CVSS score alone.

# Fetch the current CISA KEV catalog (JSON)
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
  | jq '.vulnerabilities[] | {cveID, vendorProject, product, dateAdded, dueDate}' \
  | head -60

The Bigger Picture: CVE Volume Unsustainability

NIST's decision reflects a structural challenge facing the entire vulnerability disclosure ecosystem. As AI-assisted code analysis, automated fuzzing, and large-scale bug bounty programs accelerate vulnerability discovery, the organizational infrastructure responsible for cataloguing and scoring those vulnerabilities has not kept pace.

The CVE program itself has faced similar pressures — the number of CVE Numbering Authorities (CNAs) has expanded dramatically, with hundreds of organizations now able to self-issue CVE identifiers. While this improves coverage, it also means NIST receives more CVEs to enrich with less time per entry.

Security researchers and vendors have called for additional federal investment in NVD staffing and tooling, or a partial transition to a distributed, community-maintained enrichment model similar to how open-source databases like OSV operate.

Recommendations

1. Do not rely solely on NVD CVSS scores for vulnerability prioritization — supplement with EPSS, vendor advisories, and the CISA KEV catalog
2. Subscribe to vendor security mailing lists directly — vendors often publish severity ratings faster than NVD enrichment occurs
3. Implement exploit-based prioritization — prioritize patching vulnerabilities with confirmed proof-of-concept code or active exploitation over CVSS score alone
4. Update compliance documentation to acknowledge NVD scoring gaps and document alternative enrichment sources used
5. Monitor NIST NVD announcements for updates to the new policy scope and any future changes

Source: BleepingComputer