Neil Carpenter’s Post

View profile for Neil Carpenter

Orca Field CTO / Security Evangelist / Cloud Security / Shift-Left / Security Incident Responder

"Yesterday, I pointed out that the National Vulnerability Database has not only failed to perform one of its most important jobs – adding CPE names to all new CVE records, a process called “enrichment” – this year, but they put an exclamation point on that record during the last two weeks of the year (ending yesterday 12/30) when they only added 15 of the 1,181 CPEs they should have added during that period. This means that, during those two weeks, they were only operating at a rate of 1%, vs. 45% in the previous 50 weeks (even 45% is abysmal, but it’s 45 times better than 1%, if my math is correct)." (quoting Tom Alrich from the link below) National Institute of Standards and Technology (NIST) is there _any_ way that you could clearly, and continuously, communicate with the industry on how NVD is doing instead of leaving it to everybody to figure it out? https://lnkd.in/ek2JGBbG

Et tu, CISA?

Et tu, CISA?

tomalrichblog.blogspot.com

Tom Alrich

Leader of OWASP SBOM Forum and Vulnerability Database Working Group projects; consultant on NERC CIP compliance in the cloud and vulnerability management

1mo

This is a nice idea, Neil, but since the NVD staff members are all part of NIST, I don't think anything is going to change. The fact that the last notification they provided was in mid-November, related to a scheduled outage the next week, shows that communicating with the public just isn't their thing. For that matter, they have yet to give a coherent explanation of what happened on Feb. 12, and they keep pretending that about 3 months never happened and their backlog is much smaller than it is.

Like
Reply

To view or add a comment, sign in

Explore topics