The National Vulnerability Database (NVD) has announced significant operational changes in response to the growing volume of vulnerability submissions and processing challenges.
Most notably, all Common Vulnerabilities and Exposures (CVEs) with a published date prior to January 1, 2018, will be marked as “Deferred” within the NVD dataset beginning April 2, 2025.
This change comes as the organization faces a 32% increase in CVE submissions during 2024, with expectations for continued growth throughout 2025.
Legacy Vulnerabilities Transition to “Deferred” Status
Under the new classification system, older vulnerabilities will display a banner on their CVE Detail Pages indicating their deferred status.
According to the NVD, this change “will take place throughout several nights” and aims to “provide additional clarity regarding which CVE records are prioritized”.
The organization clarifies that deferred status does not mean the abandonment of these records.
“We will continue to accept and review requests to update the metadata provided for these CVE records,” the announcement states, adding that updates will be prioritized “as time and resources allow”.
Importantly, any CVEs added to the Known Exploited Vulnerabilities (KEV) catalog will receive priority processing regardless of their age or status.
Security professionals managing vulnerability management programs should note that while these older CVEs won’t receive proactive updates, their criticality may change if new exploitation methods emerge, particularly if they’re elevated to KEV status.
Technical Infrastructure Updates Amid Processing Challenges
The NVD is implementing several technical changes to its infrastructure as it works to address processing challenges.
API users were recently advised to reset their lastModStartDate parameter to ‘2025-02-26T00:00:00.000’ due to “an internal issue with processing analyzed CVEs”.
More substantial changes are coming to the NVD’s technical framework, including:
- Updates to the
/cves/schema to version 2.2.2 - Removal of minItems and maxItems restrictions from specific JSON properties
- Resolution of incongruent CVSS v4.0 property labels within JSON responses
- Performance and stability improvements to supporting infrastructure
Perhaps most significant for developers and security tools utilizing NVD data feeds is the planned retirement of legacy data feed files.
The NVD will replace the 1.1 Vulnerability Feeds, 1.0 CPE Match Feed, and Official CPE 2.3 Dictionary files with 2.0 API-compliant alternatives.
The legacy versions will remain available for three months following the implementation of these changes before being permanently decommissioned.
The processing challenges come at a critical time for cybersecurity.
“The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure.
However, it also points to increasing challenges ahead,” the NVD acknowledged in its March update.
To address these challenges, the organization is “working to increase efficiency by improving our internal processes and exploring the use of machine learning to automate certain processing tasks.
These improvements will be crucial as the NVD continues to serve as a cornerstone resource for vulnerability management and cybersecurity operations across public and private sectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Most notably, all Common Vulnerabilities and Exposures (CVEs) with a published date prior to January 1, 2018, will be marked as "Deferred".){kind=link}