INDUSTRY and ad hoc coalitions appear poised to help fill the gap created by NIST's decision to cut back on CVE data enrichment, with the April 17, 2026 piece noting that NIST will prioritise CVEs for enrichment rather than handling them all. The article states that NIST lost 12% of its federal funding in 2024, prompting a talent exodus and prompting concerns that the CVE programme and private sector partners may increasingly bear the load.
According to CISA's chief of vulnerability response, Lindsey Cerovnik, there are around 40,000 CVE records created in 2025, with the programme on track to generate as many as 60,000 by the end of 2026, while enrichment metadata remains labour intensive. The CVE enrichment problem is described as adding value but being burdensome, with calls to have CNAs upstream provide more information at filing to streamline downstream work.
Experts like Bob Lord and Dick Brooks argue CVE records should be complete at issuance and that delays by vendors undermine timeliness and research workflows. In the meantime, practitioners such as Shane Fry and Adam Shostack urge a shift toward proactive patching and software-level defence, while procurement language in the US energy sector could help enforce timelier vulnerability reporting.