NIST to stop rating non-priority flaws due to volume increase

NIST announced it will stop assigning severity scores to lower-priority vulnerabilities due to the growing volume of submissions overwhelming its workload capacity. This policy change affects the National Vulnerability Database (NVD) operations, where previously all vulnerabilities received CVSS scores. Under the new approach, NIST will focus resources on high-priority vulnerabilities while lower-priority flaws will remain unrated. Organizations relying on NIST scores for prioritization should implement independent vulnerability assessment processes. The change may impact patch management timelines and risk evaluation for lower-severity issues that previously received formal ratings. Security teams should verify their vulnerability tracking mechanisms remain effective despite this administrative shift.

The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. [...]

NIST announced it will stop assigning severity scores to lower-priority vulnerabilities due to the growing volume of submissions overwhelming its workload capacity. This policy change affects the National Vulnerability Database (NVD) operations, where previously all vulnerabilities received CVSS scores. Under the new approach, NIST will focus resources on high-priority vulnerabilities while lower-priority flaws will remain unrated. Organizations relying on NIST scores for prioritization should implement independent vulnerability assessment processes. The change may impact patch management timelines and risk evaluation for lower-severity issues that previously received formal ratings. Security teams should verify their vulnerability tracking mechanisms remain effective despite this administrative shift. The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. [...] The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. [...]