NIST Puts Old CVEs on the Back Burner: A Strategic Shift or Security Nightmare?

NIST is hitting pause on CVEs from before 2018, marking them as Deferred in the National Vulnerability Database. With over 20,000 entries affected, NIST aims to focus on emerging threats while urging organizations to manage their own legacy risks. It’s a classic case of “out with the old, in with the new… vulnerabilities!”

3P
Published: April 8, 2025 3:08 pmAdded: April 8, 2025 at 8:43 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like NIST decided to Marie Kondo their vulnerability database by saying “thank you” and “goodbye” to pre-2018 CVEs. Who knew even vulnerabilities needed a little decluttering?

Key Points:

  • CVEs published before 2018 are now marked as “Deferred” in the National Vulnerability Database (NVD).
  • The change affects over 20,000 entries, potentially reaching 100,000.
  • NIST cites a growing backlog and a 32% surge in submissions as reasons for the shift.
  • Deferred CVEs will still be accessible, but responsibility shifts to organizations for management.
  • NIST plans to use AI and machine learning for future data processing improvements.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?