NVD Drastically Reduces Vulnerability Enrichment Scope Amid AI-Driven Discovery Acceleration
Key Takeaways
- ▸NVD will limit enrichment to CVEs in CISA's Known Exploited Vulnerabilities catalog, federal software, and critical infrastructure—a dramatic reduction from historical comprehensive coverage
- ▸Vulnerability enrichment (standardizing product identification, severity scoring, weakness classification) is essential for actionable security responses, but its availability is declining just as discovery accelerates
- ▸AI-powered vulnerability discovery tools are democratizing vulnerability finding while infrastructure to manage and prioritize findings deteriorates, creating a bifurcated security landscape
Summary
The National Vulnerability Database announced major changes to its vulnerability enrichment program on April 15th, 2026, drastically reducing which vulnerabilities will receive enrichment. Going forward, the NVD will only enrich CVEs appearing in CISA's Known Exploited Vulnerabilities catalog, vulnerabilities affecting federal government software, and critical software designated under Executive Order 14028. This represents a fundamental crisis in vulnerability management infrastructure: AI tools like Anthropic's Mythos are accelerating vulnerability discovery at unprecedented rates, while the systems designed to triage and prioritize these findings are simultaneously collapsing.
Vulnerability enrichment—the process of standardizing CPE (affected product identification), authoritative CVSS scores, CWE classifications, and reference URLs—is what makes vulnerability findings actionable for security teams. The NVD's scope reduction means fewer vulnerabilities will receive this critical enrichment despite discovery rates hitting all-time highs. The problem is compounded by structural issues in CISA's KEV catalog, which relies heavily on network telemetry and captures only 0.5% of all CVEs. This creates a dangerous gap where internal vulnerabilities, emerging threats, and those affecting non-critical software may lack the enrichment needed for effective prioritization and response.
- Organizations must develop alternative vulnerability prioritization strategies and leverage third-party intelligence providers rather than relying solely on NVD enrichment
Editorial Opinion
The NVD's reduction in enrichment scope comes at the worst possible moment—precisely when AI-powered vulnerability discovery is making vulnerability finding more accessible than ever. This creates a dangerous divergence where large organizations focused on critical infrastructure and federal compliance may maintain adequate enrichment coverage, while mid-market companies and those managing internal software face an enrichment void. Organizations should not wait for the NVD to adapt; they must immediately invest in alternative vulnerability prioritization strategies, third-party intelligence providers, and potentially develop internal enrichment capabilities to survive this infrastructure collapse.
