Skip to content
Home » Blogs » Analysis of NIST NVD 2022

Analysis of NIST NVD 2022


    National Vulnerability Database information (NVD) 

    The National Vulnerability Database (NVD) is the US government repository for standards-based vulnerability management data represented by the Security Content Automation Protocol (SCAP). This data enables vulnerability management, security measurement, and compliance to be automated. The NVD contains databases containing references to security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. 

    The NVD has undergone multiple iterations and improvements since its inception in 1999 (as the Internet – Categorization of Attacks Toolkit or ICAT), and will continue to do so in order to provide its services. The NIST Computer Security Division’s Information Technology Laboratory created the NVD, which is sponsored by the Cybersecurity & Infrastructure Security Agency. 

    The NVD analyses CVEs that have been added to the CVE Dictionary. NVD personnel are tasked with analyzing CVEs by aggregating data points from the description, references provided, and any supplemental data that is publicly available at the time. This analysis yields association impact metrics (CVSS), vulnerability types (CWE), and applicability statements (CPE), as well as other relevant metadata. The NVD does not actively perform vulnerability testing, instead relying on information provided by vendors, third-party security researchers, and vulnerability coordinators to assign these attributes. CVSS scores, CWEs, and applicability statements are subject to change as new information becomes available. As time and resources allow, the NVD attempts to re-analyze CVEs that have been amended to ensure that the information provided is up to date. 

    The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

    For further clarifications or support, please write to

    Leave a Reply

    Your email address will not be published. Required fields are marked *