NIST gives up enriching most CVEs

https://risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/

52•mooreds•1h ago

Comments

DeepYogurt•53m ago

Long overdue to be honest.

rwmj•52m ago

https://archive.ph/S8ajd

"Enrichment" apparently is their term for adding information to the CVE database.

smsm42•43m ago

> This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.

It is true but the reverse is also true. It may be very hard for an external body to issue proper scoring and narrative for bugs in thousands of various software packages. Some bugs are easy, like if you get instant root on a Unix system by typing "please give me root", then it's probably a high severity issue. But a lot of bugs are not simple and require a lot of deep product knowledge and understanding of the system to properly grade. The knowledge that is frequently not widely available outside of the organization. And, for example, assigning panic scores to issues that are very niche and theoretical, and do not affect most users at all, may also be counter-productive and lead to massive waste of time and resources.

zbentley•14m ago

Very true. So many regulated/government security contexts use “critical” or “high” sev ratings as synonymous for “you can’t declare this unexploitable in context or write up a preexisting-mitigations blurb, you must take action and make the scanner stop detecting this”, which leads to really stupid prioritization and silliness.

gibsonsmog•6m ago

At a previous job, we had to refactor our entire front end build system from Rollup(I believe it was) to a custom Webpack build because of this attitude. Our FE process was completely disconnected from the code on the site, existing entirely in our Azure pipeline and developer machines. The actual theoretically exploitable aspects were in third party APIs and our dotNet ecosystems which we obviously fixed. I wrote like 3 different documents and presented multiple times to their security team on how this wasn't necessary and we didn't want to take their money needlessly. $20000 or so later (with a year of support for the system baked in) we shut up Dependabot. Money well spent!

j16sdiz•24m ago

TBH, I don't see much enrichment they are giving in last 5 or 6 years.

Retr0id•11m ago

Maybe we should just assign UUIDs

OpenAI expands Codex beyond coding with computer use, memory, and plugins

"AI Affiliate Campaign Builder – Auto-generates funnels,leads and promos in 60s"

Recall issued for power banks after explosion kills woman

Closed Source Is a Business Decision, Not Security

The Patchwright – Cyberpunk Short Film [video]

International standard paper sizes: A series

Anthropic's Nuclear Bomb

Show HN: PanicLock – Close your MacBook lid disable TouchID –> password unlock

SETI may have been tuned to the wrong frequencies

I built an on-premise ERP for wholesale distributors in Delphi

Show HN: Clamp – Web analytics your AI agent can read and query

The Future of Testing Is Here

Vectary Canvas: AI-accelerated ideation across 2D, 3D and AR

The Value of a Performance Oracle

The Internet's Most Powerful Archiving Tool Is in Peril

Bringing BitNet to ExecuTorch via Vulkan

European Space Agency, more than 400 job opportunities in 2026

Who will maintain the web when PHP's veterans retire?

Long-Tail Knowledge in Large Language Models

AI's Mainframe Moment

Where Enterprises Are Adopting AI

Apple's Mac Mini Went Viral. Why Can't You Buy One?

Beyond Demo Day: Sorting and Value Added in Startup Accelerators

Oil prices plunge as Iran says Strait of Hormuz 'open' during ceasefire

Hyperscalers have already outspent most famous US megaprojects

Writing string.h functions using string instructions in asm x86-64

The Mystery of Rennes-Le-Château, Part 4: Non-Fiction Meets Fiction

Probabilistic Record Linkage Using Pretrained Text Embeddings

I'm Coding by Hand

The Instant Copy Trap Makes AI Creativity Impossible