NIST’s CVE Time Machine: Why Old Vulnerabilities Are Getting the Boot
NIST is marking all CVEs published before 2018 as Deferred in the National Vulnerability Database. This means they won’t prioritize updating these old CVEs unless they’re in CISA’s Known Exploited Vulnerabilities catalog. NIST hopes this will clear up which CVEs get the VIP treatment.
Hot Take:
NIST has decided to hit the snooze button on vulnerabilities old enough to start kindergarten. By marking pre-2018 CVEs as ‘Deferred,’ they’re essentially saying, “If it’s not breaking the internet today, it can wait.” So, if you’ve been holding onto a vulnerability from the Obama administration, it might be time to let it go unless it’s got its name in the CISA’s Most Wanted list.
Key Points:
- Pre-2018 CVEs are marked as ‘Deferred’ in the National Vulnerability Database (NVD).
- Deferred CVEs will not be prioritized for updates unless listed in CISA’s Known Exploited Vulnerabilities catalog.
- NIST will still review requests for metadata updates on these CVEs.
- Approximately 20,000 CVEs have already been marked as Deferred, potentially increasing to 100,000.
- NIST is considering AI and machine learning to address the growing backlog of CVE submissions.
Already a member? Log in here