“NIST’s announcement is a candid acknowledgement of what the industry has been feeling for some time,” says Chris Fearson, Sr. Director of R&D at Black Duck. “CVE volume has outgrown what any single human-curated feed can keep pace with, and the downstream cost has been absorbed quietly by every AppSec team trying to make sense of incomplete, delayed, or mis-scoped enrichment data.”

To understand the magnitude of this shift, we must look closely at what NIST is scaling back. Going forward, NIST will prioritize NVD data enrichment almost exclusively for three categories of vulnerabilities.

• CVEs appearing in CISA’s Known Exploited Vulnerabilities catalog
• CVEs affecting software used within the U.S. federal government
• CVEs impacting “critical software” as defined by Executive Order 14028

Essentially, NIST is refocusing its universal enrichment model to align with its core remit. Instead of enriching every submitted vulnerability, it is adopting a highly focused triage approach aligned with its obligations to the U.S. government. CVEs falling outside these parameters will still be published, but they won’t be enriched and they will be tagged as “Lowest Priority—not scheduled for immediate enrichment.”

An immediate, if nonobvious, result of this is that NIST will no longer provide CVSS scores for CVEs that aren’t aligned with its renewed focus—a great example of the type of enrichment NIST routinely provided if a CVE Numbering Authority already supplied a score. It is also offloading the massive backlog of unenriched CVEs submitted prior to March 1, 2026, into a “Not Scheduled” category.

For organizations or security tools that rely heavily on the NVD, this creates a massive information deficiency.

Most vulnerabilities will now enter the CVE ecosystem without the critical CVSS metadata required for automated downstream tooling to prioritize them. This reduction in enrichment is colliding with the rapid proliferation of AI-assisted threat discovery (e.g., the recent Mythos announcement from Anthropic). Advanced AI models and coding tools are significantly lowering the barrier for identifying exploitable weaknesses and complex attack paths in applications, driving this spike in CVE disclosures.

Put simply: The application attack surfaces hidden by complex business logic are becoming visible, exactly as the primary public mechanism for categorizing its flaws is contracting.

With public vulnerability enrichment shrinking, organizations need a system that is reliable, powerful, clear, and expeditious. This is precisely the gap filled by Black Duck Security Advisories (BDSAs)—enriched vulnerability data available to all Black Duck customers.

Powered by the Black Duck Cybersecurity Research Center (CyRC), and underpinned by ContextAI^TM, BDSAs bypass the bottlenecks and limitations of the NVD entirely. While the NVD typically does not cross-check or verify vulnerability data provided by third parties, the CyRC operates as an elite team of security researchers who actively monitor, validate, and enrich vulnerabilities across the open source ecosystem.

“What’s changed recently is how we scale the research and vulnerability work,” Fearon explains. “We’ve been threading AI through the advisory pipeline so that our researchers can triage, cross reference, and validate at a pace that matches the growth in disclosures, while keeping a human analyst on the signoff.”

BDSAs provide deep, actionable risk insight designed specifically for rapid DevSecOps triage, AI-enabled dev pipelines, and issue management. When a vulnerability is identified, a BDSA delivers highly accurate, verified intelligence that fundamentally outperforms public records in several critical ways.

Eliminating false positives with verified mappings: NVD records often broadly map vulnerabilities to entire component lines. The CyRC independently cross-checks and validates the exact component versions affected. If the CyRC determines a specific version is not vulnerable, it is not mapped to the BDSA. This precise mapping prevents your scanners from flagging phantom vulnerabilities, saving your developers from wasting time on unaffected projects.

Rapid response and hourly updates: The NVD is notoriously slow to update records when new vulnerability data emerges. In contrast, during a new zero-day crisis, BDSAs are reviewed and updated on an hourly basis, ensuring that your teams are operating on the most current threat intelligence possible.

Advanced scoring and triage tags: Beyond standard base scores, BDSAs provide temporal scores, explicit flags for exploit availability, and calculated vulnerability age. Furthermore, BDSAs use contextual tagging—such as identifying “Zero-click RCE” or “Malicious code identified”—allowing security teams to instantly categorize and prioritize the most lethal threats, bypassing the NVD’s enrichment queue.

Actionable remediation, not just data: Developers don’t just need to know that a flaw exists; they need to know how to address it. BDSAs provide highly specific remediation guidance, including exact fixed versions, patch information, and critical workarounds when an official fix is not yet available.

Because BDSAs are unaffected by NVD's policy changes, Black Duck customers maintain a continuous, uninterrupted stream of high-fidelity vulnerability intelligence.