NVD's shift to risk-based prioritization: how Iru Vulnerability Management stays ahead of the limitations

Summary

NIST formally transitioned the National Vulnerability Database to a risk-based enrichment model in April 2026, meaning only CVEs that meet specific criteria, like those in CISA's KEV catalog or affecting federal software, will be prioritized for enrichment. Everything else gets deferred. This leaves a significant gap for security teams that depend on NVD data for vulnerability management. Iru VM was built to operate independently of NVD's limitations, drawing from multiple sources and providing its own human-in-the-loop enrichment. To date, Iru's Security Research team has enriched close to 2,000 CVEs and corrected around 170 inaccurate NVD records, with 66% of all vulnerability detections across customer endpoints driven by Iru-enriched data.

The CVE program has long been a vital part of vulnerability intelligence and protecting critical infrastructure. For the past couple of decades, the National Vulnerability Database (NVD), run by NIST, has served as a foundational reference for vulnerability intelligence, providing severity scores, product metadata, and structured enrichment that security teams and tooling depend on every day.

Back in early 2024, NVD faced budget shortages that led to decreased funding, staffing reductions, and a substantial backlog of CVEs. As a result, a large subset of CVEs lacked the necessary intelligence for administrators, organizations, and anyone reliant on NVD data to take actionable steps to protect their endpoints and environments.

In response to these challenges, Iru Vulnerability Management (VM) has taken proactive steps to ensure customers continue to receive complete and actionable vulnerability data, regardless of the state of public infrastructure.

NIST’s Announcement

While NVD was able to chip away at its backlog with support from CISA, a large accumulation of CVEs remained for which security administrators could not take meaningful action without relying on a third-party vulnerability management product or feed offering additional intelligence. The emergence of AI-driven vulnerability discovery tools is also a contributing factor. Systems like Anthropic's Mythos are capable of identifying thousands of previously unknown vulnerabilities in a matter of weeks, accelerating discovery at a scale the current CVE infrastructure was not built to handle. Industry forecasts project more than 59,000 new CVEs in 2026 alone, the first time submissions are expected to cross 50,000 in a single calendar year.

On April 15, 2026, NIST formally transitioned NVD to a risk-based enrichment model, citing record growth in CVE submissions, approximately a 263% increase between 2020 and 2025.

Under this new model, NVD will prioritize enrichment for CVEs that meet any of the following criteria:

• CVEs listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog
• CVEs affecting software used within the federal government
• CVEs for critical software as defined under Executive Order 14028

CVEs that do not meet these criteria, or that have a publish date before March 1, 2026, are being deferred to a "Not Scheduled" status and will only be enriched as resources allow. NIST has also indicated it will no longer independently provide CVSS scores for CVEs when a CNA-provided score already exists, and will limit re-analysis of modified CVEs to cases where changes materially affect the enrichment data.

Impact on Industry and Security Teams

Countless organizations rely on NVD enrichment to power their vulnerability management tools, scanner correlation logic, and risk prioritization workflows. The critical gap is CPE-based application mapping: without it, security teams have no reliable way to know which software in their environment is affected without manually investigating each CVE themselves, undermining the efficiency that automated vulnerability management is built to provide.

The change reflects a structural reality: CVE volume has outpaced centralized enrichment capacity, and that gap is getting increasingly difficult to close. It also accelerates a broader industry conversation. The CVE program, while foundational, was never designed to be the only lens through which organizations assess risk. Between CNA-provided scoring, open source intelligence, custom prioritization models, and the rise of AI-identified vulnerabilities, the ecosystem for vulnerability intelligence is becoming more distributed by necessity.

Iru Vulnerability Management

NVD delays and inconsistencies are not new, and Iru Vulnerability Management (VM) was built with that in mind. Rather than treating NVD as a complete source of truth, Iru uses it as a foundation and goes further, independently enriching and verifying vulnerability data to ensure customers have a clear path to action. In addition to NVD, Iru ingests data from CISA's KEV catalog and EPSS scores, and draws from vendor advisories and other authoritative sources, ensuring that gaps in public infrastructure do not become gaps in customer visibility.

For CVEs that NVD has deprioritized or deferred, Iru's Security Research team provides human-in-the-loop enrichment. This includes additional enrichments sourced from vendor advisories and other authoritative feeds, ensuring that CVEs critical to Iru customers receive the context needed for informed decision-making.

Iru's Security Research team has provided enrichment for close to 2,000 CVEs to date, supplementing or replacing what NVD has made available. Of those, approximately 150 are CVE records that NVD moved from “Awaiting Analysis” to “Deferred” with no CPE-based app mapping provided. Our team has also corrected approximately 170 inaccurate NVD records to date, anywhere from affected software misclassifications to incorrect affected version ranges, catching errors that would otherwise reach customers undetected.

CVE-2024-40594, a vulnerability in the ChatGPT app for macOS, spent over a year awaiting analysis on NVD before being moved to deferred status last month without any affected software or version mapping. Iru's researchers independently enriched the record to fill that gap. It is a straightforward example of our approach: every vulnerability our customers encounter, regardless of severity, should come with the full context needed to make an informed decision.

Notably, our researchers had already enriched those records long before NIST's April announcement, ensuring customers had a clear path to detection and remediation before they felt possible impact.

The results speak for themselves: 66% of all vulnerability detections across millions of endpoints on macOS and Windows are driven by Iru-enriched data.

This work reflects a deliberate effort to build vulnerability intelligence that is accurate, complete, and resilient to the policy changes and resourcing constraints that affect public infrastructure. For administrators, that means vulnerability data that is contextualized, scored, and actionable regardless of what is happening upstream at NIST.

With Iru Vulnerability Management, teams can identify, prioritize, and remediate vulnerabilities without being held back by external data delays.

What this means for Iru customers

NVD's shift to risk-based prioritization is a signal to the broader industry that relying on a single source for vulnerability intelligence carries risk. Iru Vulnerability Management is built with that in mind, so that administrators have access to comprehensive, up-to-date vulnerability information, and our customers can keep doing their work with confidence.

Sources:

• NIST Updates NVD Operations to Address Record CVE Growth
• NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
• NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward
• NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities
• How NIST's Cutback of CVE Handling Impacts Cyber Teams