Introduction
The NIST National Vulnerability Database (NVD) is a vulnerability database maintained by the National Institute of Standards (NIST). However, consuming the NVD from NIST, has been challenging for some organizations. More recently NIST NVD has slowed the processing of new vulnerabilities as well which has lead us to provising community services to help fill the gap.
What is NVD++ from VulnCheck?
NVD++ is the latest addition to the VulnCheck Community resources to serve security teams and practitioners. In December 2023, VulnCheck announced its first Community resource: perpetual support and maintenance of the NIST NVD 1.0 offline backups, ahead of the migration deadline. NVD++ bundles the 2.0 API with the previously released 1.0 API, including downloadable JSON backup files for each, into a single resource.
In March 2024, VulnCheck extended community support to the NIST NVD 2.0 data, including backups and API access. To help the community with the increasing backlog of CVE awaiting analysis, VulnCheck is also enriching the NVD 1.0 and NVD 2.0 with Vulncheck generated CPE data.
In May 2024 we made the decision to add the CVE Program's Mitre CVElist to Vulncheck NVD++ to provide API access to the service. This provides the community with access to both NVD and CVElist in a central place accessible through API.
Why has VulnCheck released NVD++ to the VulnCheck Community?
Many organizations first experience with the NIST NVD was via the NIST NVD 1.0 offline backups (bulk data downloads). Many organizations wrote integrations with these data downloads, which were subsequently halted by NIST.
After NIST stopped producing NVD 1.0 offline backups, the NIST then required people to migrate to the NVD 1.0 API. However, on December 15, 2023, this NVD 1.0 API was itself deprecated.
With NVD 2.0 from NIST, the offline backups were never resurrected and the NVD 2.0 API from NIST frequently has timeouts or 503 Service Unavailable errors. In early 2024, NIST posted a rather disconcerting message on their website, https://nvd.nist.gov, which made some folks in the Cybersecurity community concerned about NIST's continued involvement in NVD. VulnCheck was one of these concerned organizations and we felt ready to start helping the community that we're all part of.