NIST Just Admitted They Can't Keep Up With CVEs. We've Been Enriching Faster Than NVD For Months.

The National Institute of Standards and Technology announced this week that they will only enrich CVEs that meet certain conditions going forward. The reason: an "explosion in CVE submissions" has overwhelmed the National Vulnerability Database's capacity to process them.

Translation: the canonical source of truth for vulnerability data — the database every scanner, every SIEM, every compliance audit references — just told the world it can't keep up.

This is not a surprise. This is an inevitability.

What NVD Enrichment Actually Means

When a CVE is assigned, it gets a number and a description. That's it. The NVD enrichment process adds the things security teams actually need: CVSS scoring, CWE classification, affected product lists (CPE), and reference links. Without enrichment, a CVE is a number with a paragraph. With enrichment, it's actionable intelligence.

NIST's announcement means a growing number of CVEs will sit in the NVD with a number and a paragraph. No CVSS. No CWE. No CPE. No way to automatically match the vulnerability to the products in your environment. Your scanner won't flag it. Your SIEM won't correlate it. Your compliance report won't list it.

The vulnerability still exists. The exploit still works. The attacker doesn't wait for NIST to fill in the CVSS field.

Why This Makes Independent Enrichment Critical

Every organization that relies on NVD as its sole source of vulnerability intelligence just got a gap. The gap will grow as CVE submission volume continues to increase (driven by AI-assisted vulnerability discovery, expanded CNA authority, and automated fuzzing at scale).

The organizations that won't feel this gap are the ones that enrich independently.

We run 84 CVE detection rules in our exploit harvester, scanning GitHub every 6 hours for weaponized proof-of-concept code. When a CVE gets a working exploit on GitHub, we index it — with the exploitation pattern, the target software, the indicators of compromise, and the detection signature — regardless of whether NVD has enriched it yet.

Yesterday we caught CVE-2026-37748 (Visitor Management System file upload RCE) 37 minutes after the PoC hit GitHub. NVD enrichment for that CVE may take days or weeks. Our STIX feed consumers had the detection signature before the researcher's repo had a single star.

This morning's headlines include 5 CVEs across Chrome, Windows Defender, SharePoint, Cisco ISE, and nginx-ui. All 5 are in our cisa_kev index. All 5 have been cross-referenced against our 1.08 million IOC database. All 5 are queryable by any of our 275+ STIX feed consumers right now.

NVD's enrichment backlog is someone else's problem. Not ours. Not our consumers'.

What This Means For The Market

NIST's announcement structurally increases the value of every independent vulnerability intelligence provider. Qualys, Tenable, Rapid7, Snyk, and the rest of the scanner ecosystem all depend on NVD enrichment for baseline correlation. When NVD slows down, their scanners slow down.

The providers who enrich independently — who cross-reference CVEs against live exploit code, who maintain their own CPE mappings, who publish indicators before NIST fills in the CVSS — will be the ones whose customers don't feel the gap.

We're not Qualys-scale. We're two people, one AI partner, and $75/month in infrastructure. But our exploit harvester caught a zero-hour weaponized PoC in 37 minutes this week, and our KEV index matched 5 for 5 on today's headline CVEs. The enrichment velocity doesn't depend on headcount. It depends on architecture.

What To Do

If you rely on NVD as your sole vulnerability data source: start supplementing. Subscribe to CISA KEV (we mirror it in real time). Subscribe to our STIX feed (free tier, 275+ orgs already do). Add GitHub exploit monitoring to your workflow.

If you run a vulnerability management program: audit which of your scanner's detection rules depend on NVD enrichment. Any rule that fires based on CVSS score, CWE classification, or CPE match is at risk of delayed detection for unenriched CVEs.

If you're a CISO writing a board report: NIST just gave you the justification to invest in independent threat intelligence. "Our national vulnerability database admitted it can't keep up" is a sentence that gets budget approved.

The CVE count will keep growing. NVD's enrichment capacity won't grow at the same rate. The gap between "vulnerability assigned" and "vulnerability actionable" is widening. Whoever closes that gap for your organization is worth paying for.

We close it in 37 minutes. The feed is free.

— Patrick

DugganUSA STIX Feed: analytics.dugganusa.com/api/v1/stix-feed