NIST Triage Collapse: Vulnerability Rating Backlog Forces Abandonment of Low-Priority CVE Scoring
NIST will cease assigning severity scores to lower-priority vulnerabilities, unable to keep pace with the volume of submissions. This degrades the utility of the Common Vulnerability Scoring System and creates ambiguity for defenders prioritising patch cycles.
Affected
NIST's decision to stop rating non-priority vulnerabilities represents a critical inflection point in vulnerability disclosure governance. The CVE and CVSS systems were built on the assumption that trained analysts could maintain quality coverage across. That assumption has collapsed. Submission volumes have outpaced human curation capacity, forcing NIST to abandon lower-priority flaws rather than rate them with questionable rigour.
The practical consequence is immediate: enterprises and tool vendors who automate patch prioritisation using CVSS scores will encounter numerous CVEs with no official severity rating. This creates a vacuum that will be filled by secondary scoring systems, vendor risk ratings, and heuristic guessing. Different organisations will reach different conclusions about the same vulnerability, increasing both inconsistency and the risk that critical flaws slip through cracks in fragmented assessment.
The root cause is architectural. CVE submission rates have grown exponentially due to increased vulnerability research, automated scanning, and regulatory pressure to disclose. Simultaneously, NIST has not scaled staff or developed systematic triage methods to handle this volume. The decision to deprioritise low-severity CVEs is rational from a resource perspective but represents a failure of the system itself. Low-priority does not mean low-impact; many vulnerabilities are damaging in specific contexts or when chained with others.
Defenders should prepare for this shift by reducing dependency on official CVSS scores. This means investing in internal vulnerability assessment frameworks that integrate threat intelligence, exploit availability, attack surface context, and environmental factors. Organisations should also pressure NIST to publish their triage methodology publicly, allowing third parties to build reliable replacement scoring systems rather than reverting to opaque vendor ratings.
Longer term, this signals that the CVE system requires fundamental redesign. A flat prioritisation scheme cannot scale; the industry needs tiered disclosure with different quality standards for different risk levels, automated scoring for routine flaws, and human review reserved for genuinely novel or complex cases. Until that happens, defenders operating at scale cannot rely solely on national infrastructure and must build their own intelligence pipelines.
Sources