NIST has announced delays in the CVE enrichment process of its National Vulnerability Database (NVD), but the situation doesn’t impact Tenable VM customers because our vulnerability scoring is based on multiple sources.
We have heard concerns from many of our customers about the note posted on the NIST National Vulnerability Database (NVD) website advising of “temporary delays in analysis efforts” on CVE metadata updates, including CVSS scoring.
We want to reassure customers that Tenable Vulnerability Management products have based vulnerability scoring on a diverse range of sources for many years and do not rely solely on the NVD to determine CVSS scoring or vectors. In fact, in May 2023 Tenable Research published a “Mind the Gap” four-part series highlighting the value of our broad and diverse gathering of CVSS score sources to reduce the risk of waiting for NVD scoring.
With the increased lag in NVD CVSS metadata posting, our customers will find even greater value in Tenable’s proven approach to vulnerability scoring. Our publicly available website https://www.tenable.com/cve/newest can be used as a source of truth for the latest CVE vulnerabilities.
As a reminder, in the absence of NVD CVSSv3 scoring, Tenable Vulnerability Management products will generate CVSSv3 metrics from a diverse pool of sources. In addition, our proprietary VPR calculations provide a risk-based assessment of the vulnerabilities that matter most.
In short, regardless of the delays in NVD CVSS scoring updates, Tenable Vulnerability Management products will continue to have you covered.