April 2024 article on the result of NVD funding cutbacks, with comments by Linux Foundation OpenSSF, security startups like ChainGuard and commercial vendors, https://www.securityweek.com/cve-and-nvd-a-weak-and-fracture...

  Threat intelligence firm Flashpoint noted in March 2024 it was aware of 100,000 vulnerabilities with no CVE number and consequently no inclusion in NVD. More worryingly, it said that 330 of these vulnerabilities (with no CVE number) had been exploited in the wild.. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.

Despite all those private companies and various OSS projects being willing to contribute ideas, infrastructure and code, they have somehow failed to coalesce into a decentralized replacement for NVD, built on CC0 data and OSS tooling.

I tried to look over the history and I only see a funding increase, CISA cut $3.7 million at the end of 2023 for the next year and in response NIST reallocated extra funding to NVD: $8.5 million in 2024

A funding shortfall and strain isn't a funding cut. And from what I see there was a funding increase.

Would appreciate a pointer to the source, thank you.

2025 article claims 30% increase in 2024 workload, https://www.securityweek.com/mitre-signals-potential-cve-pro...

> According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.

Can search these for the links

2023

> CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued

2024

> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025

Assuming that's spread over both years it wasn't as big of an increase as I said, but is still an increase even inflation adjusted.

> 2025 article claims 30% increase in 2024 workload

Underfunding in the face of more workload isn't itself a funding cut.

Thanks for the pointer. Is this a lobbying org? https://www.fdd.org/analysis/policy_briefs/2025/03/21/delaye...

> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.”

Did NVD receive 300MM annual funding pre-2024? That would be a 98% funding cut.

300 million would’ve been a quarter of the NIST budget. Doubt.

Yeah, bizarre site.

MITRE CVE/CWE budget is more transparent than NVD since it's a contract, listed on USAspending.gov.

This neo-liberal approach has no place for soft diplomacy, which is what US hegemoney relies on.

This isn't just a rapid disassembly of economic structures, any trust and goodwill is completely obliterated as well.

For decades, the US could be counted upon to fund things with little immediate benefit but massive long-term positive externalities. I don't think its likely that the republican party will "go back to normal" post-Trump, so we can all kiss the long-term reputation building that American hegemony relied upon goodbye. Short of a great depression-esque political reset, I do not see things changing for the better.