frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

NIST gives up enriching most CVEs

https://risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/
74•mooreds•2h ago

Comments

DeepYogurt•1h ago
Long overdue to be honest.
rwmj•1h ago
https://archive.ph/S8ajd

"Enrichment" apparently is their term for adding information to the CVE database.

smsm42•1h ago
> This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.

It is true but the reverse is also true. It may be very hard for an external body to issue proper scoring and narrative for bugs in thousands of various software packages. Some bugs are easy, like if you get instant root on a Unix system by typing "please give me root", then it's probably a high severity issue. But a lot of bugs are not simple and require a lot of deep product knowledge and understanding of the system to properly grade. The knowledge that is frequently not widely available outside of the organization. And, for example, assigning panic scores to issues that are very niche and theoretical, and do not affect most users at all, may also be counter-productive and lead to massive waste of time and resources.

zbentley•1h ago
Very true. So many regulated/government security contexts use “critical” or “high” sev ratings as synonymous for “you can’t declare this unexploitable in context or write up a preexisting-mitigations blurb, you must take action and make the scanner stop detecting this”, which leads to really stupid prioritization and silliness.
gibsonsmog•1h ago
At a previous job, we had to refactor our entire front end build system from Rollup(I believe it was) to a custom Webpack build because of this attitude. Our FE process was completely disconnected from the code on the site, existing entirely in our Azure pipeline and developer machines. The actual theoretically exploitable aspects were in third party APIs and our dotNet ecosystems which we obviously fixed. I wrote like 3 different documents and presented multiple times to their security team on how this wasn't necessary and we didn't want to take their money needlessly. $20000 or so later (with a year of support for the system baked in) we shut up Dependabot. Money well spent!
rdtsc•6m ago
> It is true but the reverse is also true.

Yup. Almost every single time, NVD came up with some ridiculously inflated numbers without any rhyme or reason. Every time I saw their evaluation it lowered my impression of them.

j16sdiz•1h ago
TBH, I don't see much enrichment they are giving in last 5 or 6 years.
Retr0id•1h ago
Maybe we should just assign UUIDs
shevy-java•44m ago
> Going forward, NIST says its staff will only add data—in a process called enrichment—only for important vulnerabilities.

Now - I am not saying I disagree with everything here, mind you; I guess everyone may agree that CVEs may range in severity. But then the question also is ... what is the point of an organisation that is cut down to, say, handle 1% of CVEs - and ignore the rest? Why have such an organisation then to begin with?

I don't have enough data to conclude anything, but from a superficial glance it kind of seems like trying to cut down on standards or efficiency.

tsimionescu•30m ago
NIST does many other things in addition to handling the CVE database.
tptacek•40m ago
The NVD was an absolutely wretched source of severity data for vulnerabilities and there is no meaningful impact to vendors/submitters supplying their own CVSS scores, other than that it continues the farce of CVSS in a reduced form, which is a missed opportunity.
pimlottc•6m ago
What is the data that NIST is adding for enriched entries?

Claude Design

https://www.anthropic.com/news/claude-design-anthropic-labs
402•meetpateltech•2h ago•239 comments

Claude Opus 4.7 costs 20–30% more per session

https://www.claudecodecamp.com/p/i-measured-claude-4-7-s-new-tokenizer-here-s-what-it-costs-you
209•aray07•2h ago•114 comments

Isaac Asimov: The Last Question (1956)

https://hex.ooo/library/last_question.html
445•ColinWright•5h ago•157 comments

Middle schooler finds coin from Troy in Berlin

https://www.thehistoryblog.com/archives/75848
101•speckx•2h ago•38 comments

NIST gives up enriching most CVEs

https://risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/
75•mooreds•2h ago•13 comments

It Is Time to Ban the Sale of Precise Geolocation

https://www.lawfaremedia.org/article/it-is-time-to-ban-the-sale-of-precise-geolocation
322•hn_acker•3h ago•95 comments

Kyber (YC W23) Is Hiring a Head of Engineering

https://www.ycombinator.com/companies/kyber/jobs/TcEa3b5-head-of-engineering
1•asontha•39m ago

Healthchecks.io Now Uses Self-Hosted Object Storage

https://blog.healthchecks.io/2026/04/healthchecks-io-now-uses-self-hosted-object-storage/
76•zdw•3h ago•42 comments

Iceye Open Data

https://www.iceye.com/open-data-initiative
53•marklit•3h ago•8 comments

NASA Force

https://nasaforce.gov/
54•LorenDB•1h ago•60 comments

Designing the Transport Typeface

https://www.thamesandhudson.com/blogs/all-news-features/designing-the-transport-typeface-margaret...
29•speckx•2d ago•2 comments

Claude Opus 4.7

https://www.anthropic.com/news/claude-opus-4-7
1915•meetpateltech•1d ago•1396 comments

The Utopia of the Family Computer

https://mudmapmagazine.com/the-utopia-of-the-family-computer/
61•surprisetalk•4d ago•26 comments

Show HN: Stage – Putting humans back in control of code review

https://stagereview.app/
51•cpan22•1d ago•47 comments

Show HN: PanicLock – Close your MacBook lid disable TouchID –> password unlock

https://github.com/paniclock/paniclock/
5•seanieb•1h ago•0 comments

Codex for almost everything

https://openai.com/index/codex-for-almost-everything/
966•mikeevans•1d ago•514 comments

Hyperscalers have already outspent most famous US megaprojects

https://twitter.com/finmoorhouse/status/2044933442236776794
32•nowflux•1h ago•17 comments

Solitaire simulator for finding the best strategy: Current record is 8.590%

https://github.com/dacracot/Klondike3-Simulator
7•PaulHoule•16h ago•0 comments

Teddy Roosevelt and Abraham Lincoln in the same photo (2010)

https://prologue.blogs.archives.gov/2010/11/09/teddy-roosevelt-and-abraham-lincoln-in-the-same-ph...
85•bryanrasmussen•8h ago•13 comments

The Gregorio project – GPL tools for typesetting Gregorian chant

https://gregorio-project.github.io/index.html
12•mcookly•2h ago•4 comments

FIM – Linux framebuffer image viewer

https://www.nongnu.org/fbi-improved/
116•Mr_Minderbinder•10h ago•59 comments

Ada, Its Design, and the Language That Built the Languages

https://www.iqiipi.com/the-quiet-colossus.html
207•mpweiher•8h ago•143 comments

Scan your website to see how ready it is for AI agents

https://isitagentready.com
66•WesSouza•3h ago•110 comments

CadQuery is an open-source Python library for building 3D CAD models

https://cadquery.github.io/
201•gregsadetsky•2d ago•53 comments

The missing catalogue: why finding books in translation is still so hard

https://blogs.lse.ac.uk/impactofsocialsciences/2026/04/13/the-missing-catalogue-why-finding-books...
28•AusiasTsel•3d ago•6 comments

A Python Interpreter Written in Python

https://aosabook.org/en/500L/a-python-interpreter-written-in-python.html
122•xk3•4d ago•37 comments

Official Clojure Documentary page with Video, Shownotes, and Links

https://clojure.org/about/documentary
308•adityaathalye•22h ago•95 comments

Android CLI: Build Android apps 3x faster using any agent

https://android-developers.googleblog.com/2026/04/build-android-apps-3x-faster-using-any-agent.html
295•ingve•23h ago•119 comments

Reflections on 30 Years of HPC Programming

https://chapel-lang.org/blog/posts/30years/
109•matt_d•3d ago•78 comments

中文 Literacy Speedrun II: Character Cyclotron

https://blog.kevinzwu.com/character-cyclotron/
72•surprisetalk•4d ago•33 comments