National Vulnerability Database

Print Print
Reading time 3:16

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP).

On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of Adobe ColdFusion.[1][2]

On June 2017, threat intel firm Recorded Future revealed that the median lag between a CVE2 being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability.[3]

In addition to providing a list of Common Vulnerabilities and Exposures (CVEs), the NVD scores vulnerabilities using the Common Vulnerability Scoring System (CVSS) which is based on a set of equations using metrics such as access complexity and availability of a remedy.[4]

See also

  • Common Weakness Enumeration
  • Common Vulnerabilities and Exposures


  1. ^ at 17:55, Jack Clark in San Francisco 14 Mar 2013. "Downed US vuln catalog infected for at least TWO MONTHS". Retrieved 2019-10-29.
  2. ^ "US national vulnerability database hacked."
  3. ^ "75% of Vulns Shared Online Before NVD Publication". Dark Reading. Retrieved 2019-10-29.
  4. ^ "NVD - CVSS v2 Equations". Archived from the original on 2013-12-21.

External links

Edited: 2021-06-18 14:11:22