What is the National Vulnerability Database (NVD)?


The National Vulnerability Database serves as the official storage of vulnerability management data, following U.S. government standards and utilising the Security Content Automation Protocol (SCAP). 

Within the NVD, you can find databases containing references to security checklists, software vulnerabilities, misconfigurations, product names, and impact metrics. This valuable data facilitates automated vulnerability management, security assessment, and compliance.

Dependency-track mainly relies on the data given by the NVD and contains a full list that is kept up to date daily or when the Dependency-track instance is restarted. 

Vulnerabilities can be searched up on the database, which then returns a unique Vulnerability ID, a description, its Common Vulnerability Scoring System (CVSS) severity, and references to advisories and solutions, among other beneficial tools.

Security professionals rely on the NVD to analyse and improve their organisation's security posture. 

Good read: Ultimate Security Checklist to Launch a Mobile App in Bahrain - iOS & Android


Who Maintains the National Vulnerability Database (NVD)?

The NVD is maintained by the National Institute of Standards and Technology (NIST). It is supported by the Department of Homeland Security's National Cybersecurity and Communications Integration Center and the Network Security Deployment.


When was the NVD founded?

The NVD was first developed in 2000 as the Internet – Categorization of Attacks Toolkit, or ICAT. It subsequently grew into the vulnerability repository that it is today.


What Does the NVD Offer?

The NVD analyses CVEs – the catalogue of known security risks – and performs the following tasks: 

  • Each vulnerability is assigned a Common Vulnerability Scoring System (CVSS) score. 
  • The Common Weakness Enumeration Specification (CWE), a detailed list categorising different vulnerability types, is used to associate specific weaknesses with vulnerabilities and provide additional information about their characteristics and potential impact.
  • Common Platform Enumeration (CPE) is used to provide additional information about vulnerabilities. It includes specific details about the affected platform, software, or hardware associated with a vulnerability. This information helps in understanding how the vulnerability functions and how cybercriminals can exploit it.

Organisations may use this data to prioritise the vulnerabilities and patches that should be deployed to keep their IT infrastructure secure. 



In conclusion, the National Vulnerability Database (NVD) is a vital resource for cybersecurity professionals and organisations seeking to enhance their security posture. It serves as a comprehensive repository of vulnerability intelligence. It relies on the Common Vulnerabilities and Exposures (CVE) system to categorise and track known vulnerabilities. 

The NVD provides critical information such as Common Vulnerability Scoring System (CVSS) scores, applicability assertions, and Common Platform Enumeration (CPE) data. 

By leveraging the NVD, organisations can prioritise and address vulnerabilities effectively, strengthening their IT infrastructure's security. The integration between CVE and NVD ensures that the database remains up to date, supporting cybersecurity professionals in their efforts to mitigate risks and protect against cyber threats. 

Get a cybersecurity expert’s opinion on your mobile applications’ defences against cyber threats. Set up a call with Appknox today.

Read more about the Common Vulnerabilities and Exposures (CVE).

Frequently Asked Questions

  1. Q) What is NVD in cyber security?
  2. A) In cybersecurity, NVD refers to the National Vulnerability Database. The NVD is a comprehensive repository of vulnerability intelligence maintained by the National Institute of Standards and Technology (NIST) in the United States.
  1. Q) What is the NVD used for?
  2. A) The primary function of the National Vulnerability Database (NVD) is to provide comprehensive and up-to-date information about known vulnerabilities in software and systems. The NVD serves as a central repository of vulnerability intelligence.
  4. Q) Who maintains NVD?
  5. A) The NVD is maintained by the National Institute of Standards and Technology (NIST), a federal agency within the United States Department of Commerce.
  7. Q) How often is NVD updated?
  8. A) According to NVD’s website, the "year" feeds of the NVD receive updates on a daily basis, while the "recent" and "modified" feeds receive updates every two hours.