1 article
NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.
Every second Tuesday, the industry runs a collective sprint to triage, test, and deploy hundreds of Microsoft patches before the next cycle begins. We call this a patching programme. It isn't. It's a treadmill — and the real security question is whether we're measuring the right thing.
CipherWatch Editorial
Security Intelligence Platform