HN Read NIST’s CVE Triage as a Warning About Security Metadata Debt

The Hacker News thread around NIST’s NVD change was less about bureaucracy than about who maintains the metadata defenders rely on. NIST said on April 15, 2026 that it is moving the National Vulnerability Database to a risk-based enrichment model. CVEs outside the priority categories will still be listed, but they will not be immediately enriched with the severity, product, and related details many security teams use for triage.

The volume problem is real. NIST says CVE submissions increased 263% between 2020 and 2025, and submissions in the first three months of 2026 were nearly one-third higher than the same period last year. The agency enriched nearly 42,000 CVEs in 2025, 45% more than any previous year, but says that pace still is not enough.

Starting April 15, NIST will prioritize enrichment for CVEs in CISA’s Known Exploited Vulnerabilities catalog, CVEs affecting software used within the federal government, and CVEs for critical software as defined by Executive Order 14028. Other CVEs can be marked “Lowest Priority - not scheduled for immediate enrichment.” NIST will also stop routinely issuing a separate severity score when the submitting CVE Numbering Authority has already supplied one, although users can request enrichment or reanalysis by email.

community discussion noted two uncomfortable realities at once. Some commenters worried that vendor-supplied scores can understate flaws, especially when the vendor is also the CNA. Others argued that NVD severity data was already too noisy to treat as a final source of truth, and that the flood of low-quality or AI-assisted reports has made universal enrichment unrealistic. The useful takeaway is operational: vulnerability management can no longer pretend one public database will normalize everything on time.

Read the HN discussion, the Risky Bulletin item, and NIST’s update.