The recent years have severely tested our reliance on foundational vulnerability data sources like CVE and NVD, leading to a significant loss of trust. As one of the key takeaways from ...
anchore.com/blog/cve-is-saved-but-th...

#Cybersecurity #VulnerabilityManagement #CVE #NVD

The CVE program averted a funding emergency, but the crises of the last few years—like the NVD stopping work in 2024 and the 2025 funding scare—have eroded trust in the existing system.... anchore.com/blog/cve-is-saved-but-th...

#Cybersecurity #VulnerabilityManagement #CVE #NVD

NVD makes up vulnerability severity levels When a security vulnerability has been found and confirmed in curl, we request a **CVE Id** for the issue. This is a global unique identifier for this specific problem. We request the ID from our CVE Numbering Authority (CNA), Hackerone, which once we make the issue public will publish all details about it to MITRE, which hosts the central database. In the curl project we have until today requested CVE Ids for and provided information about 135 vulnerabilities spread out over twenty-five years. A CVE identifier affects a specific product (or set of products), and the problem affects the product from a version until a fixed version. And then there is a **severity**. How bad is the problem? ## CVSS score The Common Vulnerability Scoring System (CVSS) is a way to grade severity on a scale from zero to ten. You typically use a CVSS calculator, fill in the info as good as you can and voilá, out comes a score. The ranges have corresponding names: **Name**| **Range** ---|--- Low| lower 4 Medium| 4.0-6.9 High| 7.0-8.9 Critical| 9 or higher ## CVSS is a shitty system Anyone who ever gets a problem reported for their project and tries to assess and set a CVSS score will immediately realize what an imperfect, simplified and one-dimensional concept this is. The CVSS score leaves out several very important factors like how widespread the affected platform is, how common the affected configuration is and yet it is still very subjective as you need to assess as and mark different things as None, Low, Medium or High. The same bug is therefore likely to end up with different CVSS scores depending on who fills in the form – even when the persons are familiar with the product and the error in question. ## curl severity In the curl project we decided to abandon CVSS years ago because of its inherent problems. Instead we use only the four severity names: **Low, Medium, High,** and **Critical** and we work out the severity together in the curl security team as we work on the vulnerability. We make sure we understand the problem, the risks, its prevalence and more. We take all factors into account and then we set a severity level we think helps the world understand it. All security vulnerabilities are vulnerabilities and therefore security risks, even the ones set to severity Low, but having the correct severity is still important in messaging and for the rest of the world to get a better picture of _how_ _seriou_ s the issue is. **Getting the right severity is important.** ## NVD Let me introduce yet another player in this game. The National Vulnerability Database (NVD). (And no, it’s not “national” really). NVD hosts a database of vulnerabilities. All CVEs that are submitted to MITRE are sucked in into NVD’s database. NVD says it “ _performs analysis on CVEs that have been published to the CVE Dictionary_ “. That last sentence is probably important. NVD imports CVEs into their database and they in turn offer other databases to import vulnerabilities from them. One large and known user of the NVD database is this I mentioned in a recent blog post: GitHub Security Advisory Database (GHSA DB) . ## GHSA DB This GitHub thing an ambitious database that subsequently hosts a lot of vulnerabilities that people and projects reported themselves in addition to them importing information about all vulnerabilities ever published with CVE Ids. This creates a huge database that in theory should contain just about every software vulnerability ever reported in the public. Pretty cool. ## Enter reality NVD, in their great wisdom, _rescores_ the CVSS score for CVE Ids they import into their database! (It’s not clear how or why, but they seem to not do it for all issues). NVD decides they know better than the project that set the severity level for the issue, enters their own answers in the CVSS calculator and eventually sets that new score on the CVEs they import. NVD clearly thinks they need to do this and that they improve the state of the CVEs by this practice, but the end result is close to **scaremongering**. ## Result Because NVD sets their own severity level and they have some sort of “worst case” approach, virtually all issues that NVD sets severity for is graded worse or much worse when they do it than how we set the severity levels. Let’s take an example: CVE-2022-42915: HTTP proxy double-free. We deemed this a **medium severity**. It was not made higher partly because of the very limited time-window between the two frees, making it harder to take advantage of. What did NVD say? **Severity 9.8: critical.** See the same issue on GitHub. Yes, it makes you wonder what magic insights and knowledge the person/bots on NVD possessed when they did this. ## Scaremongering The different severity levels should not matter too much but people find those inflated ones and they believe them. Users also find the discrepancies, get confused and won’t know what to believe or whom to trust. After all, NVD is trust-inducing brand. People think they know their stuff and if they say **critical** and the curl project says **medium** , what are we expected to think? I claim that NVD overstate their severity levels and there unnecessarily scares readers and make them think issues are worse and more dangerous than they actually are. The fact that GitHub now imports all CVE data from NVD makes these severity levels get transported, shown and _believed_ as they are now also shown in the GHSA DB. Look how many _critical_ issues there are! ## Not exactly GitHub’s fault This NVD habit of re-scoring is an old existing habit and I just recently learned it. GitHub’s displaying the severity levels highlighted it for me, especially since users out there seem to trust and use this GitHub database. I have talked to humans on the GitHub database team and I push for them to ignore or filter out the severity levels as set by NVD, if possible. But me being just a single complaining maintainer I do not expect this to have much of an effect. I would urge NVD to stop this insanity if I had any way to. ## Hackerone glitches? (Updated after first post). It turns out that some CVEs that we have filed from the curl project that uses our CNA hackerone have been submitted to MITRE without any severity level or CVSS score at all. For such issues, I of course understand why someone would put their own score on the issue because then our originally set score/severity is not passed on. Then the “blame” is instead shifted to Hackerone. I have contacted them about it. ## Dispute a CVSS NVD provides a way to dispute their rescores, but that’s just an open free-text form. I have use that form to request that NVD stop rescoring all curl issues. Although I honestly think they should rather stop all rescoring and only do that in the rare occasions where the original score or severity is obviously wrong. I cannot dispute the severity levels at GitHub. They show the NVD levels.

Was searching for an explanation, why #NVD #CVE ratings are usually higher than others', landed on daniel.haxx.se/blog/2023/03/06/nvd-make... and saw a familiar face: Thanks for posting this, @bagder@maston.social.

#cybersecurity

Il lato oscuro dei CVE: il dietro le quinte dei database NVD (Usa), CNVD e CNNVD (Cina)

📌 Link all'articolo : www.redhotcyber.com/post/il-...

#redhotcyber #news #sicurezzainformatica #vulnerabilitainformatica #cybersecurity #gestionevulnerabilita #nist #nvd #cvss #sicurezzadigital

A few weeks ago I had a conversation with Josh Bressers about the The Global Vulnerability Intelligence Platform and what we're doing there. It's now available on YouTube and your favourite podcast channels! […]

[Original post on infosec.exchange]

Want to help working on a future global vulnerability intelligence platform with us? Join our community meetings!

https://www.gvip-project.org/blog/2026/community-feb/

#CVE #NVD #GCVE #CRA

Join us for the GVIP Summit - the pre-FOSDEM conference on vulnerability management. Supported by the @sovtechfund

https://www.gvip-project.org

#NVD #CVE #SBOM #CVSS #CWE #CRA

CVE Scanner - Consulta de Vulnerabilidades NVD Ferramenta para consultar e filtrar vulnerabilidades do National Vulnerability Database (NVD).

✨ Criei uma página simples para consultar CVEs.

🔗 secguide.pages.dev/cve

#bolhatech #bolhadev #bolhasec #cves #cve #nvd #nist

Save the date! A full day of vulnerabilities. Wednesday Jan 28th 26 in Brussels, Belgium. More details to follow. DM me if you want to speak! #CVE #NVD #CVSS #EUVD #OSV

Original post on sonatype.com

Why the World's Vulnerability Index Cannot Keep Up The Common Vulnerabilities and Exposures (CVE) system has been called the backbone of modern cybersecurity. For decades, it's been the sha...

#vulnerabilities #CVE #nvd #security #research […]

[Original post on sonatype.com]

Original post on sonatype.com

Why the World's Vulnerability Index Cannot Keep Up The Common Vulnerabilities and Exposures (CVE) system has been called the backbone of modern cybersecurity. For decades, it's been the sha...

#vulnerabilities #CVE #nvd #security #research […]

[Original post on sonatype.com]

🔥 Quali sono le CVE critiche emesse negli ultimi due giorni? Che EPSS Score hanno? Hanno un exploit? Stanno sul KEV?

➡️ Qui trovate il link: www.redhotcyber.com/servizi/...

#redhotcyber #patching #cve #nist #nvd #cna #bugdisicurezza #bughunting #hacking #cti #ai

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Discover how NVIDIA NV-Tesseract-AD is transforming anomaly detection through cutting-edge AI architectures, enabling high-speed, accurate anomaly identification across diverse industries.

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Redefining the Landscape of Anomaly Detection with NV-Tesseract-AD The demands on anomaly detection systems have.... @cosmicmeta.ai #NVD

https://u2m.io/wEJbeTLp

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Discover how NVIDIA NV-Tesseract-AD is transforming anomaly detection through cutting-edge AI architectures, enabling high-speed, accurate anomaly identification across diverse industries.

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Redefining the Landscape of Anomaly Detection with NV-Tesseract-AD The demands on anomaly detection systems have.... @cosmicmeta.ai #NVD

https://u2m.io/wEJbeTLp

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Discover how NVIDIA NV-Tesseract-AD is transforming anomaly detection through cutting-edge AI architectures, enabling high-speed, accurate anomaly identification across diverse industries.

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Redefining the Landscape of Anomaly Detection with NV-Tesseract-AD The demands on anomaly detection systems have.... @cosmicmeta.ai #NVD

https://u2m.io/wEJbeTLp

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Discover how NVIDIA NV-Tesseract-AD is transforming anomaly detection through cutting-edge AI architectures, enabling high-speed, accurate anomaly identification across diverse industries.

NVIDIA NV-Tesseract-AD: Revolutionizing Anomaly Detection with Advanced Techniques Redefining the Landscape of Anomaly Detection with NV-Tesseract-AD The demands on anomaly detection systems have.... @cosmicmeta.ai #NVD

https://u2m.io/wEJbeTLp

🔥 Ultime CVE critiche emesse? EPSS Score? Le trovi "Online" su Red Hot Cyber! 🔥

➡️ Qui trovate il link: www.redhotcyber.com/servizi/...

#redhotcyber #patching #cve #nist #nvd #cna #bugdisicurezza #bughunting #hacking #cti #ai

"What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up."

www.technologyreview.com/2025/07/11/1... #NVD #CVE #infosec #potatosecurity #appsec

Cybersecurity’s global alarm system is breaking down The US system to track vulnerabilities is struggling to keep up with its backlog. Experts are scrambling to assemble alternatives.

"What began as a trickle of software vulnerabilities in the early Internet era has become an unstoppable avalanche, and the free databases that have tracked them for decades have struggled to keep up."

www.technologyreview.com/2025/07/11/1... #NVD #CVE #infosec #cybersecurity #appsec

Europe's EUVD could shake up the vulnerability database ecosystem A new vulnerability database launched by the European Union could shake up an ecosystem long dominated by the United States. more

Europe's new EUVD aims to reshape the vulnerability database ecosystem, bringing resilience and openness to a field long dominated by the US. jpmellojr.blogspot.com/2025/07/euro... #EUVD #NVD #VulnerabilityDatabase #AppSec

Europe's EUVD could shake up the vulnerability database ecosystem EU steps up to fill gaps from the US NVD and CVE. Here's what you need to know — and why you need to think beyond vulnerabilities.

Here's what your #AppSec team needs know about the EU Vulnerability Database (#EUVD) — & how it aims to fill gaps from the #NVD & #CVE. #SoftwareSupplyChainSecurity www.reversinglabs.com/blog/euvd-vu...

Na een dag vol intense en leerzame dansworkshops is het tijd voor het #Galabal #NVD #NVDDANCE #Uden #danscongres #gezellig #dansen #wijnen #dineren

Heerlijk op het terras na een middagje bootje varen op de WijdeBlik… Klaar voor een weekend #DansCongres #NVD #NVDDance in #Uden #genieten #dansen #dineren

Future-ready cybersecurity: Lessons from the MITRE CVE crisis The domino effect of CVE disruption is something all cybersecurity practitioners must be aware of, a Morphisec executive argues.

Future-ready cybersecurity: Lessons from the MITRE CVE crisis The domino effect of CVE disruption...

cyberscoop.com/mitre-cve-vulnerability-...

#Commentary #Cybersecurity #Research #Technology #Threats #CVE #MITRE #NVD #vulnerability #management

Result Details

Future-ready cybersecurity: Lessons from the MITRE CVE crisis The domino effect of CVE disruption is something all cybersecurity practitioners must be aware of, a Morphisec executive argues.

Future-ready cybersecurity: Lessons from the MITRE CVE crisis The domino effect of CVE disruption...

cyberscoop.com/mitre-cve-vulnerability-...

#Commentary #Cybersecurity #Research #Technology #Threats #CVE #MITRE #NVD #vulnerability #management

Result Details

Supertramp “Breakfast In America”

Sunday Sessions Vinyl Selection #1

#NVD

EU bug database fully operational as US slashes infosec : EUVD comes into play not a moment too soon

🇪🇺 EU bug database fully operational as US slashes infosec

#euvd #nvd #cisa #infosec