When the Referee Stops Blowing the Whistle

NIST Significantly Reduces Independent CVSS Scoring in the NVD

For years, the routine has been the same. A new vulnerability appears, the security team checks the NVD, looks at the CVSS score, and decides: patch now or wait. A single number, produced by a U.S. federal agency, has become the pace-setter for millions of systems worldwide.

That pace-setter is now stepping back.

NIST has announced that it will significantly reduce its routine CVSS scoring activities for the National Vulnerability Database (NVD). The backlog of unprocessed entries has been growing since February 2024—from around 13,000 in June 2024 to over 27,000 by the end of 2025—amid a rising number of reported vulnerabilities and a stagnant budget.

What remains when NIST is no longer providing oversight is the CVSS score assigned by the software vendor itself.

The structural problem behind the headline

Within the security community, it is no secret that vendors tend to rate the severity of their own vulnerabilities conservatively. Until now, NIST has balanced this conflict of interest through an independent second assessment. That independence is now disappearing, and for teams that have relied on NVD CVSS scores as their primary source of prioritization, this represents a significant shift.

For Greenbone users, however, nothing changes operationally. Not because the news is irrelevant, but because the NIST NVD has never been Greenbone’s only source of vulnerability intelligence.

A broad international database rather than a single source of truth

For years, Greenbone’s approach has been built on a broad, international foundation of data sources. Vulnerability information is gathered from a diverse portfolio including official databases, vendor advisories, national authorities, European initiatives such as the European Vulnerability Database (EUVD), and the global security community. Each source is evaluated, weighted, and cross-referenced.

The value of this diversity becomes particularly clear in situations like the current one: when a single source becomes unavailable or loses quality, the overall picture for Greenbone users remains largely unchanged. This is not a reaction to a crisis—it has been an architectural principle since day one.

Are vendor-assigned scores inherently unreliable? The honest answer is no, not necessarily. Vendors that provide structured and transparent vulnerability information contribute valuable data—and Greenbone uses that information directly. The challenge lies in the structural incentive to downplay one’s own weaknesses and in the lack of independence when a single source becomes the sole authority.

The EuVD: European Sovereignty as a Constructive Response

The current NIST situation also highlights a broader dependency issue: Europe has relied for too long on a single U.S. institution for vulnerability assessment. The European Vulnerability Database (EUVD), operated by ENISA, represents the right response—sovereign, European, and independent of U.S. budget decisions.

Greenbone has actively integrated the EUVD from the beginning because any reliable new source naturally belongs in a diversified vulnerability intelligence ecosystem.

For security teams, the key question is therefore not whether NIST will recover.

The real question is how resilient your vulnerability assessment process remains when one source disappears—and whether you already know the answer today.