If you work on OSS software on CVE management, then you already know that NVD funding reductions have been ongoing for more than a year.

April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...

  NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...

> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.

Five years ago (2019), I helped to organize a presentation by CERT Director which covered the CVE backlog and lack of resources, e.g. many vulnerabilities reported never even receive a CVE number. It has since averaged less than a hundred views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI

What has been ongoing for more than a year?

The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.

Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!

Yes, NVD funding cuts and a growing CVE backlog began in late 2023.

May 2024, https://therecord.media/nist-database-backlog-growing-vulnch...

> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.

The second VulnCon event took place last week, https://ygreky.com/2025/04/vulncon-2025-impressions/

  Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.

I've noticed that there's a post like this in most articles on HN that could be construed as negative for the current administration: some vague false statement followed by either a factually incorrect explanation or some quote that does not support the statement.

What is incorrect about the post above? There are citations from multiple reputable news outlets for each claim.

People who actually work with CVEs have been posting about this problem on HN for 18 months.

Your post has now been edited to be factually correct. But the misleading implication that this abrupt cut is part of some other cuts that started before remains.

The post links to the official _2024_ (not 2025) statement about NVD cutbacks.

I'm trying to steelman but I really can't think of a non- nefarious justification for this

I think it’s ignorance and arrogance. The US seems to be on a path to lose technological and science leadership. The current leadership doesn’t seem to understand things that aren’t flashy. I wonder when they’ll dial back on food safety. I am sure RFK knows some vitamins that protect against salmonella

important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries. can't wait to see what plague demon spawns out of a food industry running amok after the FDA gets gutted.

It's incredibly foolish. Whatever the justification is, it doesn't matter as much as the horrible outcome.

This is one of those things the government does for the benefit of the whole.

Privatize all teh things?

April 2024 article on the result of NVD funding cutbacks, with comments by Linux Foundation OpenSSF, security startups like ChainGuard and commercial vendors, https://www.securityweek.com/cve-and-nvd-a-weak-and-fracture...

  Threat intelligence firm Flashpoint noted in March 2024 it was aware of 100,000 vulnerabilities with no CVE number and consequently no inclusion in NVD. More worryingly, it said that 330 of these vulnerabilities (with no CVE number) had been exploited in the wild.. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.

Despite all those private companies and various OSS projects being willing to contribute ideas, infrastructure and code, they have somehow failed to coalesce into a decentralized replacement for NVD, built on CC0 data and OSS tooling.

> I really can't think of a non- nefarious justification for this

Tragedy of the commons - NVD and the CVE project havr been backlogged and facing funding issues for a couple years now, and most security vendors are either cagey about providing vulns in a timely manner (as it can reduce their own comparative advantage), or try upsell their own alternative risk prioritization scores.

Every company will gladly use NVD and CVE data, but no one wants to subsidize it and help a competitor, especially in an industry as competitive as cybersecurity.

That's a good idea to raise during the budget time or with some warning ahead of time. But even discussing the cost of CVE program itself is likely a waste of time and money. When trying to deal with 2tn deficit, looking at things that historically got ~$5M is just a distraction. And the lack of it may cost even more given how many existing agreements/contracts rely on cve to be a thing - maybe just in gov lawyers having to rewrite things.

Selling bonds is not the same thing as a family budget being in the red. Either you know this and you're making this argument in bad faith, or you don't and, well...

Or cut from $877B in defense spending instead?

https://usafacts.org/government-spending/

The process seems to be to dismantle anything not nailed down in government.

Now if you want that to be a thing ... you have to go through Trump & Co and pay your bribe to get it back up.

I still find it wild that so many people are trying to frame these decisions through a political lens. This is the actions of a foreign bad actor dismantling critical institutions from within, not "bad policy".

Surely there's an antibody response.

Force of habit. We don't have a framework for talking under these circumstances, so we apply our outdated ones.

As you say, that's exactly what got us here. But the alternatives are very unclear, and seem deeply unpleasant.

Thanks for volunteering to manage the "300-600 CVEs each month"!

The world needs more volunteers like you.

How do you get your volunteers in the first place and manage them so you know it's time to get a new one if the quality of their work is slipping?

Found the blackhat

This is like saying the patent system is just an incrementing counter.

Who needs volunteers? Let AI handle it!

Yet so far no volunteer has emerged and people who do run CNA are pretty busy with it.

I think sneak would volunteer to do it since it is pretty simple according to them.

Any work people don't understand must be easy and replaceable by chatgpt. Just look at how easy people here think farming is.

Grok becoming an artificial nepobaby running the entire CVE program with zero oversight sounds so fucking funny I don't even care, PLEASE god make this real holy shit I can't breathe at the thought

What are the implications of this? No more centralized store of vulnerability information?

According to Brian Krebs: https://infosec.exchange/@briankrebs/114343835430587973

> Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.

Is MITRE's CVE program redundant with NIST's National Vulnerability Database? I'm having a hard time telling how the two are related, or if NVD is simply performing the same service as MITRE.

NIST NVE relies on the CVE program. (vulnerabilities get reported, MITRE assigns CVEs and publishes them, NIST then copies that list and adds their own scoring etc to it)

Mr. President, Do you want China to get the reports instead, or do you want the NSA to have a lead time where the vuln's are useful tools?

I'm not sure, but the current article looks to have somewhat more information in it, so I've merged that thread hither instead.

Reminds me of Trump's first term where he said if we stopped testing for Covid, we'd stop catching new cases and case numbers would go down. If you stop testing for vulnerabilities then vulnerabilities go down. Easy stuff.