National Vulnerability Database

The National Vulnerability Database (NVD) is the most comprehensive publicly accessible repository of vulnerability intelligence. It is maintained by the National Institute of Standards and Technology (NIST) and draws on the work of MITRE and others.

The NVD vulnerabilities are referred to as Common Vulnerabilities and Exposures (CVE). Over 100,000 CVEs have been identified in the NVD since the 1990s.

Dependency-track mainly relies on the data given by the NVD and contains a full mirror that is kept up to date daily or when the Dependency-track instance is restarted.

Credit is given to the National Vulnerability Database with visual and linguistic indicators on where the data originates. There are also links back to the original CVE.

Who Maintains the National Vulnerability Database (NVD)?

The National Vulnerability Collection (NVD) is a comprehensive CVE-assigned known vulnerabilities database. It is the National Institute of Standards and Technology (NIST). It is supported by the Department of Homeland Security's National Cybersecurity and Communications Integration Center and the Network Security Deployment.

When was the NVD founded?

The NVD was first developed in 2000 as the Internet – Categorization of Attacks Toolkit, or ICAT. It subsequently grew into the vulnerability repository that it is today.

What Does the NVD Offer?

The NVD analyses CVEs – the catalogue of known security risks – and performs the following tasks:

Each vulnerability is assigned a CVSS (Common Vulnerability Scoring System) score.

Applicability assertions are defined by enumerations (CWE). Common Platform Enumeration (CPE) provides several other pieces of information important to the vulnerability's functioning and exploitability - how cybercriminals might carry out exploitation.

Organizations may use this data to prioritize the vulnerabilities and patches that should be deployed to keep their IT infrastructure secure.

Common Vulnerabilities and Exposures (CVE)

Common Flaws and Exposures (CVE) is a standard reporting pattern for publicly known security vulnerabilities. MITRE, a government-funded research company, established the CVE in 1999 to classify security concerns.

CVE, more than just a database, lets enterprises establish a baseline for their security tool coverage. It enables them to correlate data between vulnerabilities and the services and usage of their security products.

What Is the Goal of CVE?

The primary goal of CVE is to standardize how a security vulnerability or risk is recognized — with a unique identifier, a description, and at least one public reference. CVE is open to the public and free to use. CVE-2020-16891 is an example of a CVE ID, including the CVE prefix, the year the CVE ID is assigned, the vulnerability is made public, and sequence number digits.

The CVE description includes information such as the name of the affected product and manufacturer, a summary of impacted versions, the vulnerability type, the effect, the access required by an attacker to exploit the vulnerability, and the critical code components or inputs involved.

What Is the Distinction Between NVD and CVE?

While these two lists/databases are frequently used interchangeably, they are essentially distinct, albeit related, entities. CVE is just a list of vulnerability entries. However, NVD is a more powerful database based on and fully synced with the CVE list, ensuring that any revisions to the CVE list are reflected in the NVD. AS PREVIOUSLY EXPLAINED, the NVD also includes the analysis component for each vulnerability. According to MITRE, the CVE list feeds the NVD. Both are sponsored by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA).