NIST will no longer prioritise updating the older flaws.
NIST has announced that all CVEs published before January 1st 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
As the CVEs are older, NIST will no longer prioritise updating NVD enrichment or initial NVD enrichment data unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalogue.
As vulnerability researcher Patrick Garrity points out, roughly one in three CVEs in the NVD was detected before 2018.
Tim Mackey, head of software supply chain risk at Black Duck, said, "While it may be concerning to see older CVEs, particularly those associated with prominent vulnerabilities, be triaged to a lower priority, the reality is that the CVE remains in the NVD with a recognition that updates to older CVEs are infrequent.
“For practical purposes, I would view any organisation that hasn’t patched or mitigated something now labelled as ‘Deferred’ as having an underperforming patch management or DevOps cybersecurity programme. Let’s make this event a call to action for Product Security Incident Response Teams to inventory all software and then triage all vulnerabilities with a Deferred status."
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
