NIST SCALES BACK CVE ENRICHMENT EFFORTS

NIST announced it will no longer provide detailed enrichment data for the bulk of CVE entries, focusing resources on a smaller subset of high-impact vulnerabilities. Enrichment—the process of adding context, severity ratings, and additional metadata to CVE records—has been a cornerstone of NIST's National Vulnerability Database. The decision reflects growing pressure on the organization as the number of disclosed vulnerabilities continues to accelerate. NIST will prioritize enrichment for CVEs affecting critical infrastructure and widely-used software, while leaving most other entries with minimal annotation. The change may impact security researchers and organizations relying on comprehensive CVE data for vulnerability assessment and prioritization. Alternative sources and community-driven efforts may need to fill the gap left by reduced NIST enrichment coverage. NIST's move underscores broader challenges in vulnerability management as the security industry grapples with scaling disclosure and analysis across an expanding attack surface.