nist / national vulnerability database / cve

NIST will stop enriching most CVE records, meaning it will no longer add detailed context, scoring guidance, or narratives to the majority of entries in the National Vulnerability Database. The change shifts responsibility for detailed vulnerability descriptions and severity assessment back to CVE Numbering Authorities and vendors. Proponents say the move acknowledges practical limits — deep product knowledge is often required to accurately score complex bugs — while critics warn it could enable vendors to downplay issues, reduce independent scrutiny, and fragment how vulnerabilities are communicated. The decision matters for cybersecurity operations, vulnerability management tools, and incident responders who rely on NIST’s enriched data for prioritization and remediation workflows.

NIST announced it will stop enriching most CVE entries in the National Vulnerability Database and will only add detailed metadata for ‘important’ vulnerabilities: those on CISA’s Known Exploited Vulnerabilities list, affecting software used by US federal agencies, or classified as “critical software” (OSes, browsers, security tools, firewalls, backups, VPNs, etc.). The agency also will stop assigning its own CVSS scores and will display the severity provided by the CVE issuer. NIST says budget constraints and an explosion of reported bugs made comprehensive enrichment impossible, leaving tens of thousands of CVEs un-annotated. The shift forces vulnerability-management vendors and security teams to find alternate data sources or perform their own enrichment, fragmenting the prior single-source model for vulnerability intelligence.

NIST announced it will stop enriching most CVE entries in the National Vulnerability Database and instead focus enrichment efforts only on important vulnerabilities: those on CISA's KEV list, in software used by US federal agencies, or deemed "critical software" (OSes, browsers, security tools, firewalls, backups, VPNs). The agency also will stop assigning CVSS scores in the NVD and will display the severity provided by the CVE issuer. NIST framed the change as necessary after an explosion of reported bugs and budget constraints left tens of thousands of CVEs without metadata. The move forces vulnerability management vendors and security teams to seek other data sources or perform their own enrichment, fracturing the single-source model many relied on.

Matt Kapko / CyberScoop : The NIST narrows its National Vulnerability Database priorities to CVEs in CISA's known exploited catalog, to deal with a backlog after its 2024 funding lapse — The National Vulnerability Database will now only analyze vulnerabilities in critical software, systems used in the federal government and those under active exploitation.

NIST researchers have demonstrated a method to integrate tunable lasers across many wavelengths directly onto silicon photonics chips by stacking specialized materials on silicon wafers, reported in Nature. The fingernail-sized integrated photonics circuits can generate a “rainbow” of laser colors previously available only from bulky, expensive lab equipment. Key players include NIST physicist Scott Papp and collaborators; the work replaces room-sized lasers with on-chip sources compatible with optical waveguides and fibers. This matters because widely tunable, compact lasers could accelerate deployment of quantum computers, optical atomic clocks, advanced communications, sensing, and other photonics-driven technologies by lowering cost, size, and power barriers. The advance advances integrated photonics towards scalable, practical quantum and optical systems.