Introduction

The NIST National Vulnerability Database (NVD) is a vulnerability database maintained by the National Institute of Standards (NIST). However, consuming the NVD from NIST, has been challenging for some organizations.

What is NVD++ from VulnCheck?

NVD++ is the latest addition to the VulnCheck Community resources to serve security teams and practitioners. In December 2023, VulnCheck announced its first Community resource: perpetual support and maintenance of the NIST NVD 1.0 offline backups, ahead of the migration deadline. NVD++ bundles the 2.0 API with the previously released 1.0 API, including downloadable JSON backup files for each, into a single resource.

In March 2024, VulnCheck extended community support to the NIST NVD 2.0 data, including backups and API access. To help the community with the increasing backlog of CVE awaiting analysis, VulnCheck is also enriching the NVD 1.0 and NVD 2.0 with CPE data.

Why has VulnCheck released NVD++ to the VulnCheck Community?

Many organizations first experience with the NIST NVD was via the NIST NVD 1.0 offline backups (bulk data downloads). Many organizations wrote integrations with these data downloads, which were subsequently halted by NIST.

After NIST stopped producing NVD 1.0 offline backups, the NIST then required people to migrate to the NVD 1.0 API. However, on December 15, 2023, this NVD 1.0 API was itself deprecated.

With NVD 2.0 from NIST, the offline backups were never resurrected and the NVD 2.0 API from NIST frequently has timeouts or 503 Service Unavailable errors. In early 2024, NIST posted a rather disconcerting message on their website, https://nvd.nist.gov, which made some folks in the Cybersecurity community concerned about NIST's continued involvement in NVD. VulnCheck was one of these concerned organizations and we felt ready to start helping the community that we're all part of.