The National Institute of Standards and Technology (NIST) is comprehensively reforming the operations of the vulnerability database… starting with strengthening “high-risk CVEs.”

The National Institute of Standards and Technology (NIST) has made significant adjustments to the operation of the National Vulnerability Database (NVD). Going forward, they will no longer perform bulk analysis on all received general vulnerability disclosures (CVE), but will instead shift to a “risk-based filtering” system that prioritizes vulnerabilities with higher actual risks.

This move is due to the surge in CVE submissions, which has become difficult to handle with the current approach. According to NIST, from 2020 to 2025, CVE submissions increased by 263%, and in the first quarter of 2026, submissions were about one-third higher than the same period last year. NIST explains that although approximately 42k CVEs were strengthened in 2025—an increase of 45% over the previous year—this is still insufficient to keep pace with the growth.

From now on, analysis will start with the “most dangerous vulnerabilities.”

Under the new standard, NIST will only prioritize a CVE for “full strengthening” if it meets three conditions: it is listed on the U.S. Cybersecurity and Infrastructure Security Agency (CISA) “Known Exploited Vulnerabilities” list; it affects software used by the U.S. federal government; or it impacts products related to “critical software” as specified in Executive Order 14028.

In particular, for vulnerabilities listed on the CISA KEV list, the goal is to complete strengthening within one business day after submission. CVEs not included in this list will continue to be registered in the NVD but will be categorized as “unscheduled.” In such cases, the risk scores and product information used by security teams to determine patch priorities will not be automatically added.

Cleaning up backlog since 2024

NIST also plans to clear the backlog accumulated since early 2024. In principle, CVEs that have been publicly available in the NVD but not yet strengthened before March 1, 2026, will be moved to “unscheduled.” However, vulnerabilities already listed on the KEV list are excluded from this cleanup.

Some processes will also be simplified. If the CVE Numbering Authority (CNA) has already provided a risk score, NIST will no longer recalculate the same score. Additionally, for CVEs that have been modified, re-analysis will not be performed with each update unless the changes significantly impact the strengthening data.

AI cited as a factor behind the surge in vulnerability reports

Although NIST did not explicitly state that artificial intelligence (AI) is the cause, industry experts believe AI is a key factor driving the increase in CVE reports. Vincenzo Jojio, co-founder and CEO of identity threat detection and response firm SlashID, said, “The surge in verified vulnerability reports found by AI,” and “some analyses suggest that the number of vulnerabilities reported last year alone doubled.”

He described the policy change as “a reasonable adjustment because the most critical categories will still be addressed.” He also predicted that as large language models (LLMs) improve, organizations will be able to assess vulnerability priorities and backgrounds based on their environment, gradually reducing reliance on external “strengthened CVEs.”

“Now, we can’t just wait for CVE scores anymore”

Shane Fleay, CTO of RunSafe Security, pointed out that this announcement sends a clear signal to the industry. He said, “This means the era of waiting for CVE scores before responding is over.”

Fleay emphasized that, given the inherently incomplete nature of vulnerability visibility, enterprises and organizations should not rely solely on a single database. Instead, they should combine multiple sources of vulnerability information to make more accurate judgments. He added that they should also establish defenses that can prevent exploitation even before patches or official scores are released, assuming that unknown vulnerabilities may already exist in the software.

This reform is more akin to a market structure change rather than a simple administrative adjustment. In an environment of rising vulnerabilities, the approach of analyzing all projects with equal depth has reached its limit. NIST has ultimately shifted toward a “priority-based” direction. In the field of security practice, future efforts will focus more on rapid judgment by integrating threat intelligence and asset status, rather than merely waiting for NVD scores.

TP AI Notice: This article summary is generated based on the TokenPost.ai language model. It may omit main content from the original text or differ from actual facts.