National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the U.S. government database of standards-based vulnerability management data. This data enables the automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

The NVD is represented using the Security Content Automation Protocol (SCAP).  SCAP is a suite of specifications for exchanging security automation content which is, in turn, used to assess configuration compliance and to detect open software vulnerabilities by version. Multiple tools can use the same SCAP content. The Security Content Automation Protocol (SCAP) specifications are also driven by community participation. Community participation helps to ensure that the most extensive possible set of use cases impact SCAP functionality. 

Initially created in 1999 as the Internet—Categorization of Attacks Toolkit (ICAT). I-CAT was a tool that allowed security professionals to obtain vulnerability information using the early Internet quickly. I-CAT had three primary services at that time. These services included attack description lookup, statistics on the most prevalent attacks, and measurements of current trends in cybersecurity publications document attacks. These three services allowed a security team to understand better the available attacks, which of these attacks were most prevalent, and how to identify additional information on the published attacks. The National Institute of Standards and Technology has wholly rewritten its old ICAT vulnerability Website and relaunched it in 2000 as the National Vulnerability Database.

The Homeland Security Department funded the NVD database. The NVD incorporated the Common Vulnerabilities and Exposures search engine, a standardized naming scheme for IT vulnerabilities developed by MITRE Corp and supported by DHS. NVD also integrates other government resources, such as alerts and advisories from US-CERT. 

The NVD has undergone multiple iterations and improvements to improve the services and information accessibility. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory, sponsored by the Cybersecurity & Infrastructure Security Agency.

The NVD performs analysis on Cybersecurity Vulnerabilities and Exposures (CVEs) published to the CVE Dictionary. CVE is a list of publicly disclosed cybersecurity vulnerabilities launched in 1999 by MITRE Corp.

CVE enables organizations to identify a baseline for their security tools coverage. The NVD contains CVEs that have been published. Once the CVE is published in the CVE data feeds, they are usually posted to the online database in a few hours. CVEs are designed to standardize the way a security vulnerability is identified.  The CVE description includes the name of the impacted vendor and the product, a summary of the impacted versions, and information about the vulnerability, exploits, and anything else available. The CVE also includes references to other vulnerability data.

The NVD analysis of CVEs assigns a Common Vulnerability Scoring System (CVSS) score to each vulnerability, determines the vulnerability types (CWE), defines applicability (CPE), and provides other relevant information, often in great detail, about how the vulnerability can be exploited. Organizations can use this to prioritize the remediation of vulnerabilities to reduce risk and potential impact on their infrastructure and networks.

It is essential to understand that the CVE is a list of vulnerability entries, and NVD is a comprehensive database that correlates closely with the CVE. Updates made to the CVE list are shown in the NVD as well. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) sponsors the CVE and the NVD.

The NVD is organized into general information, vulnerabilities, vulnerability metrics, products, developers, contact NVD, and more. In addition, the general information section includes information about the NVD dashboard, news, the email list, the FAQ, and visualizations.  Finally, It is important to remember that the NVD generally contains a subset of all vulnerabilities that have been given a CVE identifier, nothing else. 

Google Groups, which are used to manage notifications and related discussions to NIST efforts which include (this list is provided verbatim from NIST material):

• NVD News Google Group/ Join NVD News Google group to receive notifications regarding significant changes to the NVD, our data feeds, or other vital topics.
• Security Content Automation Protocol (SCAP). Join the SCAP-Dev Google group for notifications or discussion regarding the Security Content Automation Protocol (SCAP). 
• Extensible Configuration Checklist Description Format (XCCDF). Join the XCCDF-DEV Google group for notifications or discussion about the Extensible Configuration Checklist Description Format (XCCDF). 
• Common Configuration Enumeration (CCE) Working Group. Join the CCE Working Group Google group for notifications or discussion about the development of CCE.
• Common Platform Enumeration. Join the CPE Discussion Google group for notifications or discussion about CPE development.
• Open Checklist Interactive Language. Join the OCIL Discussion Google group for notifications or discussion about OCIL.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.