Rapid7 offers continued vulnerability coverage in the face of NVD delays

Last updated at Mon, 18 Mar 2024 19:00:07 GMT

Recently, the US National Institute of St和ards 和 Technology (NIST) announced on the National 脆弱性 Database (NVD) site that there would be delays in adding information on newly published CVEs. NVD enriches CVEs with basic details about a vulnerability like the vulnerability’s CVSS score, software products impacted by a CVE, 有关bug的信息, 修补状态, 等. Since February 12th, 2024, NVD has largely stopped enriching vulnerabilities.

Given the broad usage 和 visibility into the NVD, the delays are sure to have a widespread impact on security operations that rely on timely 和 effective vulnerability information to prioritize 和 respond to risk introduced by software vulnerabilities.

We want to assure our customers that this does not impact Rapid7’s ability to provide coverage 和 checks for vulnerabilities in our products. 在Rapid7, we believe in a multi-layered approach to vulnerability detection creation 和 risk scoring, which means that our products are not completely reliant on any single source of information, NVD包括.

事实上, 对于漏洞创建, 我们主要使用供应商建议, 和 as such our customers will continue to see new vulnerability detections made available without interruption. 对于漏洞优先级, our vulnerability researchers aggregate vulnerability intelligence from multiple sources, 包括我们自己的研究, to provide accurate information 和 risk scoring. Example areas of our coverage that are currently unaffected by the NVD delays include:

• Microsoft vulnerabilities - CVSS information is pulled directly from Microsoft advisory,
• Vulnerabilities with coverage that are present on the CISA KEV列表, 和,
• Any vulnerabilities that qualify for our 紧急威胁响应 process - our researchers manually analyze 和 enrich these vulnerabilities as part of our ETR process

Below is an example of a latest vulnerability for Microsoft CVE-2024-26166 with the CVSS 和 积极的风险 scores unaffected by NVD:

然而, there are portions of Rapid7’s vulnerability detection database that do rely on NVD data for enrichment to populate fields such as CVSS scores. These vulnerabilities will continue to be supplemented by our proprietary risk scoring algorithm, 积极的风险 和 will be updated as soon as enrichment information becomes available from the NVD.

积极的风险 leverages intelligence from multiple threat feeds, 除了CVSS分数, 像AttackerKB, Metasploit, ExploitDB, 项目海森堡, CISA KEV列表, 和 other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000. This approach ensures customers can continue to prioritize 和 remediate the most important risks despite the NVD delays.

首先也是最重要的, we want to assure our customers that they will continue to have coverage 和 checks across emergent 和 active vulnerabilities across our products. Our teams will continue to invest in diverse vulnerability enrichment information, 和 we are actively working on new updates that will ensure there is no additional impact to CVSS scoring. We will continue to monitor the situation, share relevant information as it becomes available, 和 offer additional guidance for customers via our support channels.