The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced a new initiative called “Vulnrichment” aimed at enriching Common Vulnerabilities and Exposures (CVE) records with additional metadata to help organizations better prioritize vulnerability remediation efforts.
The Vulnrichment project, hosted in a public GitHub repository, will focus on adding key data points to CVE records, including:
- Common Platform Enumeration (CPE) identifiers
- Common Vulnerability Scoring System (CVSS) scores
- Common Weakness Enumeration (CWE) identifiers
- Exploitation status (e.g. proof-of-concept, active exploitation)
CISA is leveraging its Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree model to assess and categorize vulnerabilities based on factors like exploitation status, technical impact, and potential for automated exploitation.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
High-priority vulnerabilities will then undergo further analysis to determine if CISA can confidently assert the additional CPE, CVSS, and CWE metadata.
Importantly, CISA will not be overwriting any of the original CVE data submitted by CVE Numbering Authorities (CNAs).
The enriched data will be provided as a supplement using the standard CVE JSON format, allowing it to be easily ingested by vulnerability management systems.
“It’s great to see CISA stepping up to fill the CVE enrichment gap that the NIST NVD has neglected to address,” said Patrick Garrity, a security researcher at VulnCheck. “It will take a collaborative effort across CVE.org CNAs, software suppliers, government agencies, and the private sector to fill the gap NVD continues to leave behind.”
Chris Hughes, founder of Aquia and former CISA fellow, praised the Vulnrichment program as “an excellent resource for CISA to share with the community,” noting that CISA has already enriched over 1,000 CVE records with additional context to aid in prioritization.
CISA says the Vulnrichment project will evolve quickly based on feedback from the cybersecurity community. In the near future, the agency plans to start sharing the SSVC decision points alongside the enriched CVE data to provide more transparency into its prioritization methodology.
The Vulnrichment effort aligns with CISA’s broader push to modernize its cybersecurity programs, like the National Cybersecurity Protection System (NCPS), to better support cloud computing environments. This includes ingesting security telemetry data directly from agencies’ cloud service providers.
“CISA’s ‘Vulnrichment’ initiative is a pivotal step in the right direction,” said Immanuel Chavoya, CEO of RiskHorizon.ai. “However, true resilience lies in preemptive enrichment of all CVEs before exploitation occurs. Waiting for indicators of exploitation to populate CVEs still introduces delays downstream.”
The cybersecurity community is encouraged to provide feedback on the Vulnrichment project via GitHub issues and pull requests. CISA can also be contacted directly at [email protected].
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
.webp "Hackers Abusing to GitHub to Host Malicious Infrastructure"){kind=small}
