Tech
Surging CVE disclosures force NIST to shake up workflows | Computer Weekly
The US National Institute for Standards and Technology (NIST) is in the process of shaking up the way in which it handles common vulnerabilities and exposures (CVEs) listed in the National Vulnerability Database (NVD) in the face of a rapidly-changing threat environment.
Previously, the NVD programme aimed to analyse all CVEs received to add details – like severity scores and affected product lists – to help cyber teams prioritise and mitigate relevant vulnerabilities. It terms this process ‘enrichment’.
However, going forward, it will enrich only those CVEs that meet a predefined set of criteria – those flaws that don’t mean this bar will still be listed but will be marked as lower priority issues.
“This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” NIST said in a statement.
“We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 – 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach.”
The authority hopes that these changes will enable it to stabilise its programme and buy some time to help it develop new automated systems and workflow enhancements.
Priorities
The new criteria went into effect on Wednesday 15 April, with the following CVEs prioritised:
“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritised categories,” said NIST.
The organisation acknowledged that the new criteria may not catch every potentially high-impact flaw, so users will be able to request reviews of lower priority CVEs for enrichment.
At the same time, NIST will no longer routinely provide a separate severity score for CVEs that have already been assigned one by the CVE Numbering Authority – firms such as Microsoft, etc – that submitted it. It said this was an effort to reduce duplication of effort and better focus its resources, although users are also able to request reviews of specific CVEs if wanted.
NIST is also changing how it goes about reanalysing enriched CVEs that have been modified after enrichment. Previously it had reanalysed all modified flaws but it will now only do so if it becomes aware of a modification that materially impacts its enrichment data. Again, a user-requested review system will be put in place.
The backlog
In relation to a significant backlog of unenriched CVEs that started to develop two years ago, NIST stated that it has not been able to clear this down and so all backlogged CVEs with an NVD publish date before 1 March 2026 will be moved into the ‘Not Scheduled’ category. CVEs falling into this bucket will be considered for enrichment provided they meet the new prioritisation criteria.
Finally, NIST is updating CVE status labels and descriptions, and making changes to the NVD Dashboard to accurately report these.
The organisation said it recognised it was making big changes that will affect everyday users, however, it reiterated, adopting a risk-based approach is necessary to manage the surge in submissions and buy it time to build new systems that will ensure the sustainability of its offering going forward.
Danis Calderone, principal and chief technology officer at Suzu Labs, said NIST had probably taken the right decision.
“An overhaul was certainly needed and probably inevitable given the volume of new CVE submissions, and we suspect that AI-assisted discovery is probably already pushing that number higher. After all, Microsoft just had its second-largest Patch Tuesday ever, and even ZDI says their incoming submissions have tripled thanks to AI tools,” said Calderone.
“We are excited to see NIST making Kev the top priority tier. That is the right call and something we’ve been doing with our clients for some time now, so we’re very happy to see that becoming the official model.”
However, Calderone criticised some perceived gaps in NIST’s new methodology, specifically the ending of CVE scoring when the submitting authority has already scored it.
“That sounds efficient until you remember that the submitting authority is often the vendor, and vendors don’t always get their own bugs right,” he said. “We just went through this with F5. A recent BIG-IP vulnerability was scored 8.7 HIGH as a denial-of-service issue for five months before it got reclassified as a 9.8 RCE. For organisations using CVSS to drive patching priority, that miscategorisation meant the real risk sat in the wrong queue for five months while attackers were already exploiting it.”
“The other thing missing here is that NIST addressed the processing volume problem but didn’t touch the scoring methodology. CVSS still scores vulnerabilities in isolation. It doesn’t model chainability, where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise.”
Calderone said that for security leaders who have relied on NVD as their go-to for vulnerability context, the time was nigh to build their own prioritisation stack. This could incorporate data from Cisa’s Kev catalogue, Exploit Prediction Scoring System (EPSS) information, and their organisation’s own environmental context.
“The days of waiting for NIST to tell you what matters are over,” he remarked.
On November 16, 2021, Matthew Ziburis sat in his car in a residential neighborhood in the Bay Area stalking an “enemy,” as he put it. A veteran of both the US Army and Marine Corps, Ziburis had previously served in Iraq. But on this mission, he was working at the behest of China’s government. The targets that autumn day were American citizens: Arthur Liu and his teenage daughter, Alysa.
Arthur’s personal story was an exemplar of the American Dream. As a university student, he took part in the 1989 pro-democracy movement in China. After the crackdown at Tiananmen Square that year, he fled to the United States, settling in California. Arthur poured a small fortune and an equal amount of energy into molding Alysa into a figure skating phenom. As a national champion at age 13, she bantered along with Jimmy Fallon on The Tonight Show, and was at the time on track to represent America at the Winter Olympics the following year in Beijing.
Ziburis was surveilling the Liu home when he called Arthur, falsely claiming that he was a member of the US Olympic Committee who needed to discuss upcoming travel to Beijing, Arthur says. Ziburis was adamant that Arthur fax him copies of his and his daughter’s passports as part of a travel “preparedness check,” Liu tells WIRED. This struck Arthur as odd. In his many years dealing with sports bodies, he had never fielded such a request. Alysa’s agent did not respond to a request for comment.
Ziburis’ surveillance of Arthur and Alysa Liu that November day five years ago was just one episode in a bizarre saga that spanned from California to Beijing, touched New York City mayors and members of the US Congress, and has seen two people plead guilty and two more awaiting trial.
Unbeknownst to Ziburis, as he sat outside Aurthur and Alysa’s Northern California home, he too was being watched.
Ziburis had allegedly been dispatched to Northern California by Frank Liu, a self-styled fixer in the Chinese community from Long Island, New York, who was in turn receiving orders from a person in China named Qiang Sun. According to US authorities, Sun was working at the behest of the Chinese government. A concerned private investigator who once worked for Frank Liu had alerted the FBI to Frank’s escapades and was assisting authorities. Law enforcement was already on to Ziburis by the time he arrived. Anthony Ricco, Ziburis’ lawyer, did not respond to requests for comment.
Officers watched as Ziburis surveyed Arthur’s home and visited his law office. The heavy-set man sulking around Arthur’s office also caught the attention of a neighbor, who approached Ziburis and asked him if he needed help, Arthur says. Apparently concerned, the FBI called Arthur to warn him that Ziburis was heading to his home. By then, in part because of the harassment, Arthur and Alysa were boarding a plane to fly out of California. “It was like a movie,” Arthur says.
Alysa’s showing in Beijing in 2022 was disappointing. Burned out, she retired from the sport. Then in February, after returning to the ice after a two year hiatus, Alysa became the first US women’s figure skater to win Olympic gold since 2002—intentionally without her father by her side.
Despite her much-publicized complicated relationship with Arthur, Alysa’s success—punctuated by her signature pierced smile, racoon-tail dye job, and palpable joy for her sport—has reignited interest in the long-running case of transnational repression against her and her father. Human rights advocates and researchers have documented in recent years the lengths Beijing has taken to suppress critical voices, even those residing abroad or whose perceived transgressions date back decades.
Neuroscientists know that there is a link between loneliness and cognitive decline in older adults, although it is still difficult to understand the exact magnitude of the link. A new longitudinal study provides evidence that a proportion of people who feel lonely end up having more memory impairment, though this doesn’t necessarily mean that their brains age faster.
The report, published in Aging & Mental Health, shows that older adults with higher levels of loneliness scored lower on tests of immediate and delayed recall. Even so, the rate at which their memory declined over six years was virtually identical to those who were not lonely.
“It suggests that loneliness may play a more prominent role in the initial state of memory than in its progressive decline,” said Luis Carlos Venegas-Sanabria of the School of Medicine and Health Sciences at Universidad del Rosario, who led the research. “The study underscores the importance of addressing loneliness as a significant factor in the context of cognitive performance in older adults.”
Six-Year Study of Thousands of Single People
The team analyzed data from the Survey of Health, Ageing and Retirement in Europe (SHARE), one of the most robust longitudinal databases for studying aging. For six years, the researchers followed 10,217 adults, aged 65 to 94, from 12 European countries. They assessed their level of loneliness and their performance on memory tests.
The results show that age was the most important determinant of memory level and speed of decline. From the age of 75 onwards, scores began to fall more rapidly. After 85 the decline became more pronounced. Depression and chronic diseases such as diabetes also reduced the initial score. Loneliness, while influencing the starting point, did not accelerate the slope of cognitive decline.
The study also found that physical activity was associated with better initial memory scores. People who engaged in moderate or vigorous physical activity at least once a month recalled more words on immediate and delayed recall tests. This effect did not change the speed of decline, but it did raise the baseline level, which functions as a kind of “cognitive buffer.”
Although the study does not explore the causes of the link between loneliness and cognition, previous research has proposed plausible mechanisms. Loneliness is often associated with less social interaction, a factor that influences cognitive performance. It is also associated with increased risk of depression, which does directly affect memory tests. In addition, lonely people tend to have more health problems, such as hypertension or diabetes, which also affect cognitive function.
By 2050, according to United Nations projections, one in six people in the world will be over the age of 65. Societies are entering a stage where old age will no longer be the exception but will become the norm. Dementia, as well as other neurodegenerative diseases that appear with age, will be a major challenge for health care institutions.
Privacy is not a modern invention; it is part of the human condition of trust, dissent, and intimacy. Every society has developed ways to communicate beyond the reach of power: whispered conversations, sealed letters, coded language.
The need to keep secrets is equally as important among the powerful – governments, more so than individuals, have jealously guarded their own secrets, even as they seek to uncover the secrets of others. What is new is neither the need nor desire for private communication but the current power of the observer.
We now live in what some have termed a “golden age of surveillance,” in which governments, corporations, and adversaries possess the technical capability to monitor human interaction at unprecedented scale. In this era of pervasive digital connectivity, most digital interactions leave a permanent, searchable trace, and the need to protect sensitive information has become critical.
End-to-end encryption (E2EE) is therefore not a technical abstraction or ideological indulgence; it is the most effective defence against unauthorized access to private communications in a fully networked world. As digital communication continues to evolve, the risks of interception scale with it.
Why E2EE matters
E2EE preserves data confidentiality by masking data from unauthorised users and ensuring that only the intended recipients, with a decryption key, can access the data. Using cryptography, E2EE transforms readable plaintext into unreadable ciphertext on the sender’s device, keeps it encrypted during transmission, and decrypts it back into its original form only when it reaches its destination and is decoded with the correct key. It is widely used by governments and corporations and is becoming increasingly common among individual users, reflecting its status as the prevailing standard for data security and privacy.
The most common use of E2EE is for secure communications on mobile and online messaging services. It is also widely used by password managers to protect users’ passwords; for data storage purposes to ensure that data is protected when it is stored and when it is transmitted between devices or to the cloud; and for file-sharing purposes, including peer-to-peer file sharing, encrypted cloud storage, and specialised file transfer services.
Using E2EE means that no one else, including the service provider facilitating the communications, has access to the unencrypted data without consent. If it were to be intercepted, the data would appear to third parties as random, unintelligible characters.
As the service provider facilitating the communications does not have access to the unencrypted data due to E2EE, it is unable to provide it to any third party. That includes governments and law enforcement agencies that criticize E2EE as an obstacle to investigations while at the same time relying on and demanding the strongest available encryption to protect their own systems. Thus, the debate over E2EE is not about balancing privacy and security. It is about whether governments can demand systemic insecurity while insisting on absolute security for themselves.
The risks of ‘exceptional access’
“Exceptional access” is the term used to describe the mechanism for enabling government access to encrypted communications. Different governments take different approaches to the methods they use to seek exceptional access. While the intentions behind exceptional access may be noble, facilitating such mechanisms in E2EE communications can create more problems than it seeks to solve.
The creation of government-mandated security vulnerabilities, commonly known as backdoors, into E2EE services jeopardizes the security and privacy of global communications. Once a backdoor is built, no one can guarantee that only the authorised third party will have access to it. Malicious actors will try to use such backdoors to enter and decrypt communications that are intended to be secure on the endpoints and only accessible to the sender and recipients. It is for this reason that the world’s leading providers have avowed publicly never to do so.
Third-party exceptional access mechanisms in which a copy of a user’s decryption keys are held by a “trusted” third party for potential future use by the government are at present fraught with insurmountable technological and security issues. Industry, backed by the vast majority of relevant experts, is saying that it’s simply not possible to have E2EE where a third party holds a key. It defeats E2EE’s central premise and is a deliberate breach of the security guarantee that E2EE provides.
Any kind of repository where providers are forced to store the keys would become a treasure trove of a target for attackers – especially so for sophisticated state actors who, as we have repeatedly seen, are adept at breaking into worldwide telecommunications networks and critical infrastructure.
Why encryption is not an existential threat to law enforcement
In any event, governments have for decades warned of the existential threat posed by encryption and on the grim possibility of “going dark.” But they have not gone dark, and there exist other means by which governments can get valuable data. Metadata remains available. Enhanced investigative means and other investigative tools are ever evolving and becoming more sophisticated.
Governments should be careful about what they wish for. In seeking to fetter E2EE, they may drive the very actors whose data they most need away from mainstream providers, most of whom have long-standing collaborative relationships with law enforcement. In doing so, they will lose the ability to gain the data they can still obtain notwithstanding the use of E2EE – or, worse, they will undermine the very technology on which they also rely.
At this stage of technological development, there exists no meaningful way to grant governments “exceptional access” to encrypted communications without deliberately engineering systemic vulnerability into the digital infrastructure on which billions of people, institutions, and governments themselves depend.
Once such vulnerabilities exist, they cannot be confined to the well-intentioned or the lawful; they become available to hostile states, criminal actors, and anyone capable of exploiting them. The consensus among technologists and security experts is unequivocal: E2EE either works for everyone, or it is broken for everyone. Governments may continue to warn of impending darkness, but the greater danger lies in demanding insecurity by design – an outcome that would fundamentally undermine trust, resilience, and the security of the global communications ecosystem.
2026 growth in Africa to drop by up to 0.2% due to Iran war: Report
Indian reforms strengthen DGFT norms committees’ functioning: Ministry
How words shaped the narrative in the US-Israel conflict with Iran
-
Fashion4 days agoFrance’s LVMH Q1 revenue falls 6%, shows resilience amid Iran war
-
Sports1 week agoThe case for Man United’s Fernandes as Premier League’s best
-
Entertainment1 week agoPalace left in shock as Prince William cancels grand ceremony
-
Business1 week agoUK could adopt EU single market rules under new legislation
-
Entertainment5 days agoIs Claude down? Here’s why users are seeing errors
-
Fashion1 week agoEnergy emerges as biggest cost driver in textile margins
-
Sports1 week agoLamar Jackson hits back at critics with faithful message on social media
-
Business7 days agoDelta Air Lines unveils first new Delta One suite in premium cabin arms race