The National Vulnerability Database (NVD) is a repository of information about known software security vulnerabilities. The database is maintained by NIST, a U.S. government agency, and is freely available to the public. Although other public databases for security vulnerabilities exist, such as MITRE CVE, the NVD typically provides more information about vulnerabilities.
Knowing that a security vulnerability exists in software you use is one thing – and you can gain that visibility by monitoring lists of Common Vulnerabilities and Exposures (CVEs), which document known software security flaws – but to take effective action in response to a CVE, organizations often need to know more than the basics.
They require insight into how severe the vulnerability is, for example, and exactly how threat actors can exploit it.
This is where the National Vulnerability Database (NVD) comes in. By providing not just a list of CVEs, but also valuable contextual information, the NVD helps businesses take effective action against known risks.
What is the NVD?
The National Vulnerability Database (NVD) is a publicly available repository of information about software security vulnerabilities. Created in 2005, the NVD is maintained by the National Institute of Standards and Technology, a U.S. federal government agency. NIST makes the NVD freely accessible to anyone in the world.
The primary purpose of the NVD is to provide a centralized database where software developers and security researchers can share important information about known vulnerabilities, how much risk they pose, and how to mitigate them.
NVD vs. CVE
Each vulnerability in the NVD – which catalogs more than 270,000 risks as of late 2024 – is a Common Vulnerability and Exposure (CVE). This means it’s a publicly disclosed vulnerability with a unique identifier. CVEs are managed by the MITRE Corporation, a nonprofit organization focused on protecting critical infrastructure.
In addition to overseeing the registration of CVEs, MITRE maintains a public CVE database. Various other organizations, such as CVEdetails.com, also provide inventories of CVEs.
CVE databases are great if you want to track known vulnerabilities. However, the shortcoming of standard CVE databases – and the factor that distinguishes them from the National Vulnerability Database – is that CVE databases typically offer only relatively basic information about each vulnerability.
CVE data usually includes:
- Identification of the software application or package that is affected by the CVE, including specific versions (if known).
- A short description of the vulnerability and the type of attack or security flaw it enables.
- Information about who discovered the vulnerability.
In contrast, the NVD goes much further. For each CVE that it tracks, the NVD reports not just the basic CVE data described above, but also usually the following:
- A Common Vulnerability Scoring System (CVSS) rating, which ranks vulnerabilities based on the severity level of the harm each one could cause.
- A Common Weakness Enumeration (CWE) identification, which categorizes the CVE based on vulnerability type.
- A Common Platform Enumeration (CPE) identification, which tracks the type of platform that the CVE affects.
- Details about how threat actors can exploit the vulnerability.
With the information provided by the NVD, security and development teams can more quickly determine if a CVE that affects software their organization uses poses a major threat, as well as gain insights on how to mitigate the risk.
The importance of NVD
CVE ratings on their own provide limited insight and actionability about software vulnerabilities. By providing additional information – including severity ratings and exploitation details – the NVD enables rapid decision-making about how to respond to a CVE.
This is particularly critical because hundreds of new CVEs are typically reported each day. Faced with such a high volume of vulnerability reports that may impact their software supply chains, organizations often struggle to determine how much risk each vulnerability poses or determine which ones to prioritize.
The contextual information offered by the NVD helps them to make more informed decisions so they can use their time and resources more efficiently.
Limitations of the National Vulnerability Database
While the NVD is a key resource for tracking and assessing cybersecurity vulnerabilities, it is subject to some important limitations:
- The NVD only tracks vulnerabilities that have been publicly disclosed and assigned a CVE number. This means that not all vulnerabilities or risks are recorded in the NVD.
- There is typically a delay between when CVEs first appear and when they are published in the NVD. Although the delay is often as short as just an hour, this still means that attackers could begin exploiting vulnerabilities before they reach the NVD – so if you monitor for risks based on the NVD alone, your systems may come under attack before you even know they’re vulnerable.
- While the CVSS scores provide a generic estimate of the severity of each vulnerability, the actual severity can vary from one organization to another depending on factors like whether an affected application is in testing or production, as well as the specifics of the application’s configuration.
- The CVE descriptions typically provide some insight into how threat actors can exploit vulnerabilities, but it’s usually limited. To gain deeper insight that is relevant to your specific application and configuration, you’d want to determine your software’s exploitable path.
For these reasons, it’s important to use the NVD in conjunction with other resources and practices – such as security tools that can identify untracked vulnerabilities (meaning ones that are not assigned a CVE and therefore not reported in the NVD) and application security scanners that can assign severity ratings tailored for your code and environment – as opposed to generic CVSS scores.
Getting the most from the NVD with Checkmarx
This is where Checkmarx comes in. As an end-to-end application security solution, Checkmarx can detect vulnerabilities of all types – including but not limited to those reported in the NVD – within your applications. In addition, Checkmarx offers detailed severity and remediation guidance tailored to your code and environment so your team knows exactly how to react to each threat.