The National Institute of Standards and Technology is discontinuing enrichment of most Common Vulnerabilities and Exposures (CVEs), citing resource constraints. The move affects the majority of CVE records in its database.
NIST announced it will no longer provide detailed enrichment data for the bulk of CVE entries, focusing resources on a smaller subset of high-impact vulnerabilities. Enrichment—the process of adding context, severity ratings, and additional metadata to CVE records—has been a cornerstone of NIST's National Vulnerability Database.
The decision reflects growing pressure on the organization as the number of disclosed vulnerabilities continues to accelerate. NIST will prioritize enrichment for CVEs affecting critical infrastructure and widely-used software, while leaving most other entries with minimal annotation.
The change may impact security researchers and organizations relying on comprehensive CVE data for vulnerability assessment and prioritization. Alternative sources and community-driven efforts may need to fill the gap left by reduced NIST enrichment coverage.
NIST's move underscores broader challenges in vulnerability management as the security industry grapples with scaling disclosure and analysis across an expanding attack surface.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.