The National Vulnerability Database (NVD) – Where It Is and Where It’s Going
CVE/FIRST VulnCon 2025 · Main Stage
The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST) under the Department of Commerce, serves as the United States government's repository of standards-based vulnerability management data. This talk at VulnCon, delivered by NVD Program Manager Tanya Brewer and NIST's Matt Schul, provided a crucial update on the NVD's current state, recent operational overhauls, and strategic direction. It addressed significant challenges faced in the past year, including a processing "pause" and a surge in vulnerability disclosures, outlining how NIST is adapting to ensure the NVD remains a reliable and efficient resource for the global security community.
AI review
This is a policy/operational briefing from the people who actually run the NVD — so the right question isn't 'did they drop a CVE?' but 'did they tell us something we couldn't get from a press release?' Partially yes. The gap-filling policy change, the confirmation that the CPE spec overhaul is real work with a community workshop attached, the frank admission that early ADP ingestion had to be rebuilt from scratch, and the concrete timelines (search overhaul in 2-3 months, Fonttology public by summer, external CPE console later this year) all constitute genuine signal for anyone whose tools…