May 8, 2024 - Technology

How the feds will tackle the software bug backlog

Illustration of an open safe revealing a spreadsheet of data.

Illustration: Annelise Capossela/Axios

The nation's cyber defense agency is taking a bigger role in reviewing data that lands on a consequential security vulnerability database.

Why it matters: The National Institute of Standards and Technology (NIST) has significantly slowed down work on the National Vulnerability Database in the last three months seemingly without much warning or explanation.

  • Vulnerability scanners rely on the database to pull information needed to scan corporate systems for signs of a reported security flaw.

Zoom in: The Cybersecurity and Infrastructure Security Agency shared a new plan Wednesday aimed to help alleviate some of the issues NIST had been facing with the database.

  • Under the new "Vulnrichment" program, CISA will start testing vulnerabilities and certain so-called "enrichment data," including details about how severe the bugs are.
  • This process includes testing the vulnerability to see which ones could have widespread impacts across critical infrastructure and other sectors.
  • CISA is posting the details about the vulnerabilities it tests on a new GitHub page, and it's already added enrichment data to 1,300 vulnerabilities.

Between the lines: Typically, security researchers have gone through a complicated process—involving NIST, research lab Mitre and others—to report a vulnerability and see it listed in the government database.

  • First, they'd report the discovered bug with Mitre or a CVE Numbering Authority (CNA).
  • Mitre and the CNA will then register the vulnerability in the Common Vulnerabilities and Exposures program and give the bug a standardized number.
  • Then, historically, NIST would be the one to independently test the bug and provide the "enrichment data" before posting the vulnerability on the NVD.
  • CISA's new project will provide that enrichment data so other lists like the NVD can pull from it.

What they're saying: "NVD has been and continues to be an essential source for such information," a CISA spokesperson said in a statement.

  • "Through the shared efforts of NIST and CISA, we will continue to help organizations reduce the risk of newly disclosed vulnerabilities while driving vendors to reduce the prevalence of such vulnerabilities by design."

Flashback: CISA once had a "sponsored" logo on the NVD's website, which disappeared in September, according to screenshots in the Internet Archive.

The big picture: NIST had not gone into detail about why it suddenly stopped updating the database, spurring anxiety among security executives who have relied on the list.

  • The NIST website says it is faced with a "growing backlog of vulnerabilities" to review, and it was looking for "longer-term solutions to this challenge."
  • A NIST official said in March that the agency will undergo the government's rule-making process to standup a new industry consortium to address its issues with the database.

Zoom out: NIST did not immediately respond to a request for comment, but on its website, it appears its work on the NVD has nearly halted.

  • So far this month, the agency has analyzed just one vulnerability out of the 1,796 that have hit the CVE list.
  • Overall this year, the agency has reviewed 31% of the vulnerabilities listed on the CVE.

What's next: CISA notes on its GitHub page that its new program will evolve quickly and encourages users to keep checking for more details.

Go deeper