• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Greenbone AG

When the Referee Stops Blowing the Whistle

Blog

NIST Significantly Reduces Independent CVSS Scoring in the NVD

For years, the routine has been the same. A new vulnerability appears, the security team checks the NVD, looks at the CVSS score, and decides: patch now or wait. A single number, produced by a U.S. federal agency, has become the pace-setter for millions of systems worldwide.

That pace-setter is now stepping back.

NIST has announced that it will significantly reduce its routine CVSS scoring activities for the National Vulnerability Database (NVD). The backlog of unprocessed entries has been growing since February 2024—from around 13,000 in June 2024 to over 27,000 by the end of 2025—amid a rising number of reported vulnerabilities and a stagnant budget.

What remains when NIST is no longer providing oversight is the CVSS score assigned by the software vendor itself.

CVE-2025-20393-cisco-spam-filter

NIST steps aside

The structural problem behind the headline

Within the security community, it is no secret that vendors tend to rate the severity of their own vulnerabilities conservatively. Until now, NIST has balanced this conflict of interest through an independent second assessment. That independence is now disappearing, and for teams that have relied on NVD CVSS scores as their primary source of prioritization, this represents a significant shift.

For Greenbone users, however, nothing changes operationally. Not because the news is irrelevant, but because the NIST NVD has never been Greenbone’s only source of vulnerability intelligence.

A broad international database rather than a single source of truth

For years, Greenbone’s approach has been built on a broad, international foundation of data sources. Vulnerability information is gathered from a diverse portfolio including official databases, vendor advisories, national authorities, European initiatives such as the European Vulnerability Database (EUVD), and the global security community. Each source is evaluated, weighted, and cross-referenced.

The value of this diversity becomes particularly clear in situations like the current one: when a single source becomes unavailable or loses quality, the overall picture for Greenbone users remains largely unchanged. This is not a reaction to a crisis—it has been an architectural principle since day one.

Are vendor-assigned scores inherently unreliable? The honest answer is no, not necessarily. Vendors that provide structured and transparent vulnerability information contribute valuable data—and Greenbone uses that information directly. The challenge lies in the structural incentive to downplay one’s own weaknesses and in the lack of independence when a single source becomes the sole authority.

The EuVD: European Sovereignty as a Constructive Response

The current NIST situation also highlights a broader dependency issue: Europe has relied for too long on a single U.S. institution for vulnerability assessment. The European Vulnerability Database (EUVD), operated by ENISA, represents the right response—sovereign, European, and independent of U.S. budget decisions.

Greenbone has actively integrated the EUVD from the beginning because any reliable new source naturally belongs in a diversified vulnerability intelligence ecosystem.

For security teams, the key question is therefore not whether NIST will recover.

The real question is how resilient your vulnerability assessment process remains when one source disappears—and whether you already know the answer today.

Learn how your organization can meet the requirements of the Cyber Resilience Act and sustainably strengthen your cyber resilience.

Learn more →
Contact Test Now Buy Here Back to Overview
3. June 2026/by Greenbone AG
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-06-03 13:16:542026-06-03 13:16:54When the Referee Stops Blowing the Whistle

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: Attackers are increasingly shifting from stolen credentials to exploited vulnerabilities Link to: Attackers are increasingly shifting from stolen credentials to exploited vulnerabilities Attackers are increasingly shifting from stolen credentials to exploited vu... Link to: The September 2026 CRA Deadline: What Manufacturers Must Do Right Now Link to: The September 2026 CRA Deadline: What Manufacturers Must Do Right Now The September 2026 CRA Deadline: What Manufacturers Must Do Right Now
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn