NIST announced a shift in its National Vulnerability Database policy that will stop enriching most CVEs. From now on, staff will focus only on vulnerabilities that affect federal agencies or are listed in CISA KEV, or belong to the agency’s Critical Software roster. The change follows a two‑year struggle to keep pace with the flood of new bugs.

NIST’s move comes after more than 48,000 CVEs were assigned last year, a number projected to surge with AI‑driven scanners. The agency will also drop its own CVSS scores, showing instead the severity initially set by the CVE issuer. Critics warn that vendors may downplay their own flaws, eroding trust in the single source of truth.

Security firms relying on the NVD for scanning dashboards face a sudden data gap. They must now source or enrich missing CVEs themselves. Aikido Security’s Sooraj Shah notes the end of a single trusted repository, pushing the industry toward fragmented data pipelines. The decision underscores the growing cost of vulnerability intelligence in a budget‑tight environment.

Government agencies that rely on enriched data for risk assessments will need to adjust their threat models. The policy shift also signals a broader industry trend toward selective triage as manpower and funding dwindle. The immediate impact will be a sharper focus on high‑profile bugs, but lower‑tier vulnerabilities may slip into the dark.