Nist Nvd

FAQ

Frequently Asked Questions about NVD++ from VulnCheck.

Below are some questions that sometimes come up when folks first learn about sourcing the NIST NVD from VulnCheck.

Frequently Asked Questions

What is NVD++ from VulnCheck?

The NIST National Vulnerability Database (NVD) is a vulnerability database maintained by the National Institute of Standards (NIST). However, consuming the NVD from NIST, has been challenging for some organizations.

NVD++ is the latest addition to the VulnCheck Community resources to serve security teams and practitioners. In December 2023, VulnCheck announced its first Community resource: perpetual support and maintenance of the NIST NVD 1.0 offline backups, ahead of the migration deadline. NVD++ bundles the 2.0 API with the previously released 1.0 API, including downloadable JSON backup files for each, into a single resource.

Why has VulnCheck added for NVD++ to VulnCheck Community?

Many organizations first experience with the NIST NVD was via the NIST NVD 1.0 offline backups (bulk data downloads). Many organizations wrote integrations with these data downloads, which were subsequently halted by NIST.

After NIST stopped producing NVD 1.0 offline backups, the NIST then required people to migrate to the NVD 1.0 API. However, on December 15, 2023, this NVD 1.0 API was itself deprecated.

With NVD 2.0 from NIST, the offline backups were never resurrected and the NVD 2.0 API from NIST frequently has timeouts or 503 Service Unavailable errors. In early 2024, NIST posted a rather disconcerting message on their website, https://nvd.nist.gov, which made some folks in the Cybersecurity community concerned about NIST's continued involvement in NVD. VulnCheck was one of these concerned organizations and we felt ready to start helping the community that we're all part of.

How do I gain access to NVD++ from VulnCheck?

Signup for a free VulnCheck Community account on https://vulncheck.com

How much does NVD++ cost?

It's free! We only ask for prominent attribution to VulnCheck.

What versions of the NVD are included with NVD++?

VulnCheck Community includes two (2) versions of NVD++. These include:

IndexSourceDescription
nist-nvd2NISTNVD 2.0
nist-nvdNISTNVD 1.0 generated from NVD 2.0; unlike NIST, supported indefinitely

VulnCheck Exploit & Vulnerability Intelligence includes four (4) versions of NVD. These include:

IndexSourceDescription
vulncheck-nvd2VulnCheckNVD 2.0 with VulnCheck extensions (more fields and earlier data)
vulncheck-nvdVulnCheckNVD 1.0 with VulnCheck extensions (more fields and earlier data)
nist-nvd2NISTNVD 2.0 with an SLA
nist-nvdNISTNVD 1.0 with an SLA generated from NVD 2.0; unlike NIST, supported indefinitely

How does NVD++ from VulnCheck differ from VulnCheck's Exploit & Vulnerability Intelligence product?

NVD++ from VulnCheck represents less than one-tenth of 1% of our commercially-available Exploit & Vulnerability Intelligence product.

Below are some of the features of VulnCheck Exploit & Vulnerability Intelligence, which are not included in NVD++ from VulnCheck:

  • Exploit Intelligence
    • Exploitation timeline
    • Exploit maturity
    • Exploit availability
    • Commercial exploit PoC tracking
    • Exploit type
    • Git clone URLs
    • Git history
    • Cached exploit PoCs
    • Exploited by Threat Actors / APT
    • Exploited by Ransomware groups
    • Exploited by Botnets
    • Threat Actors / APT <-> CVE mapping
    • Ransomware groups <-> CVE mapping
    • Botnets <-> CVE mapping
    • Threat Actors / APT <-> Cybersecurity Vendor naming scheme
    • Offline backups of all Exploit Intelligence data
    • SLA: Uptime guarantees
  • Vulnerability Intelligence
    • Average of 10x as many references
    • Vulnerability Status
    • Vulnerability Alias
    • CVSS v2 Temporal Scores
    • CVSS v3 Temporal Scores
    • MITRE ATT&CK mapping
    • MITRE CAPEC mapping
    • Additional CWE mapping
    • Additional CWE data
    • Vulnerability categorization
    • Foreign vulnerability data sources
    • Package URL lookup support
    • Operating System (OS) package manager coverage
    • Open Source Software (OSS) library package manager coverage
    • End-of-Life (EOL) coverage for Operating Systems (OS)
    • Offline backups of all Vulnerability Intelligence data
    • SLA: Uptime guarantees