## NIST Announces Changes to Vulnerability Tracking System **NIST** has announced significant changes to the way it tracks cybersecurity vulnerabilities, acknowledging that the number of bug submissions is growing at an unsustainable rate. This shift will impact how vulnerabilities are categorized and enriched within the widely-used **NVD**. The agency will now focus its resources on vulnerabilities that meet specific criteria, marking a departure from its previous mission to categorize every **CVE** (Common Vulnerabilities and Exposures). This decision comes as the agency struggles to keep pace with the increasing volume of submissions. According to a statement released by **NIST**, submissions in the first three months of 2026 are nearly one-third higher than the same period last year, despite a 45% increase in CVE enrichment in 2025. ## Prioritization Criteria Under the new policy, **NIST** will only enrich **CVE** records that meet certain thresholds. Specifically, enrichment will be prioritized for: * **CVE**s listed in the **Cybersecurity and Infrastructure Security Agency's (CISA)** Known Exploited Vulnerabilities Catalog. * **CVE**s affecting products used by the federal government. * **CVE**s impacting software deemed "critical". **NIST** aims to enrich vulnerabilities in the **CISA** catalog within one day of notification. **CVE**s that do not meet these criteria will still be listed but will not receive additional analysis or severity scoring from **NIST**. ## The Backlog Problem **NIST** has acknowledged an existing backlog of **CVE**s that it has been unable to process due to resource constraints. These backlogged entries, predating March 1, 2026, will be moved to a "Not Scheduled" category and will only be prioritized if they meet the new criteria. **NIST** will also rely more heavily on severity scores provided by submitters, rather than generating its own scores for all **CVE**s. While acknowledging that the changes "may not catch every potentially high-impact **CVE**," **NIST** maintains that this risk-based approach is necessary to ensure the database remains sustainable and reliable. ## Industry Reaction Experts like Trey Ford from **Bugcrowd** suggest that **NIST's** changes reflect a broader understanding within the research community: centralizing vulnerability triage at this scale is unsustainable. Ford emphasized that real-world exploitability, determined by human researchers, is the true driver of remediation priority. <a href="https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record" rel="noopener noreferrer">Learn more.</a> [](https://www.recordedfuture.com/?utm_source=therecord&amp;utm_medium=ad)