April 17, 2026
Patch notes and popcorn
NIST gives up enriching most CVEs
NIST says only big bugs get details; users argue 'about time' vs 'who watches the vendors'
TLDR: NIST will stop adding rich details to most bug entries and focus on big, exploited, or government-used software. Commenters split between “finally” and fears of vendor spin, with jokes about turning bugs into random IDs; tools that relied on NVD now need new data sources fast.
Cue the popcorn: NIST just told the internet it’s done writing long descriptions for most software bugs. The agency behind the US National Vulnerability Database (NVD) will now “enrich” details only for the scary stuff—bugs actively exploited in the wild (CISA’s KEV list), software used by federal agencies, and broadly “critical software” like operating systems and browsers. Commenters immediately split into camps. One side cheered the triage: “Long overdue,” said one, echoing years of frustration as NIST drowned in a flood of bug reports and budget cuts since 2024. Others claimed this isn’t even a change: “Haven’t seen much enrichment in years,” quipped another.
Then came the drama. Skeptics warned this opens the door to vendor spin—companies scoring their own homework and downplaying flaws. A counterpoint fired back: outsiders can also mis-score thousands of niche bugs; nobody wins in the blame game. Meanwhile, meme-lords proposed a nuclear option: “Maybe we should just assign UUIDs,” a jab at how meaningless bug IDs could become without rich context. Industry watchers piled on with a bigger gut-punch: there’s no single source of truth anymore—as Aikido’s take put it—so expect chaos as tools scramble beyond NVD. NIST’s official line is here, if you like receipts: announcement and what “critical software” means PDF. Buckle up: fewer words, more fights.
Key Points
- •NIST will limit NVD enrichment to CVEs in CISA’s KEV catalog, software used by US federal agencies, and “critical software.”
- •The “critical software” list includes OSs, web browsers, security software, firewalls, backup software, and VPNs (as per NIST’s referenced PDF).
- •NIST’s CVE enrichment backlog grew from a few thousand in early 2024 to nearly 30,000 by end-2024 and remains tens of thousands behind.
- •The shift is driven by surging vulnerability volume, mounting costs, and budget cuts affecting DHS and CISA under the Trump administration.
- •Vendors relying on NVD enrichment must seek alternative data sources or enrich vulnerabilities themselves; industry notes no single authoritative source.