NIST calls time on older vulnerabilities amid surging disclosures www.computerweekly.com/news/3666…

The United States’ national metrology institute, the National Institute of Standards and Technology (NIST), is to cease providing updates to tens of thousands of older common vulnerabilities and exposures (CVEs) held within its National Vulnerability Database (NVD).

In an announcement posted last week, the standards body said that every CVE with a published date prior to 1 January 2018 would now be marked as deferred within the NVD dataset.

“We are assigning this status to older CVEs to indicate that we do not plan to prioritise updating NVD enrichment or initial NVD enrichment data due to the CVE’s age,” NIST said in a statement.

NIST’s announcement comes as the organisation struggles to deal with a backlog of thousands of CVEs that need to be analysed and processed. At points last year, this backlog hit 18,000 records as new submissions surged by 32%. It has been exploring the use of new technologies, including machine learning, to try to automate its way out of its dilemma.