CISA Announces CVE “Vulnrichment” Program to Fill CVE Enrichment Gap

The recent slowdown in NIST’s National Vulnerability Database, which oversees CVE enrichment and provides the valuable cataloging of vulnerabilities that cyber professionals rely upon, has caused CISA to take action. NIST’s analysts have managed to analyze only 4523 of the 14,280 CVEs they received since the start of the year, making this an increasingly urgent problem. CISA has announced it is creating a new program, called “Vulnrichment,”, that aims to fill the CVE enrichment gap.

Analyst Comment (Jennifer Lyn Walker): Given the success of CISA’s Known Exploited Vulnerabilities (KEV) Catalog in improving patching and vulnerability management (Organizations patch CISA KEV list bugs 3.5 times faster than others, researchers find), this “Vulnrichment” program looks like something to keep an eye on.

How will CISA’s “Vulnrichment” work?

“The CISA Vulnrichment project is the public repository of CISA’s enrichment of public CVE records through CISA’s ADP (Authorized Data Publisher) container. In this phase of the project, CISA is assessing new and recent CVEs and adding key SSVC decision points,” the agency explains on the project’s GitHub repository. CISA has thus far enriched 1,300 CVEs.

Using a SSVC decision tree model CISA puts vulnerabilities into one of four categories based on exploitation status, technical impact, impact on mission essential functions, public well-being, and whether the exploitation is automatable.

CISA encourages the IT cybersecurity professional community to provide feedback on its effort, and expects the project to evolve quickly. For more details about CISA’s Vulnrichment program, visit Help Net Security.