On NVD Users' Attitudes, Experiences, Hopes and Hurdles
Julia Wunder, Alan Corona, Andreas Hammer, Zinaida Benenson
TL;DR
The paper investigates how users interact with the National Vulnerability Database (NVD), highlighting its role as a central, structured vulnerability information hub while documenting practical usability challenges. Through a qualitative preliminary interview study (n=7) and a larger quantitative survey (n=71 users, 101 total respondents), it reveals that the NVD is widely consulted and valued for CVE IDs, descriptions, CVSS scores, and references, but suffers from CVSS misalignments, incomplete or incorrect records, and upstream delays in CVE data. The authors also interview NVD staff to diagnose root causes—in particular, variability in CVE data quality across CNAs and gaps in the CVE Program—while outlining provider-led improvements (CVMAP, Vulntology, CVSS 4.0, SBOM-enabled CPE data) and organizational changes (NVD Consortium). Overall, the NVD remains a critical, largely positive resource for vulnerability management, but the study highlights important usability gaps and a clear demand for standardized formats and expanded governance to enhance data quality and integration. The findings inform practical guidance for practitioners and policymakers to improve vulnerability information ecosystems and resilience in software supply chains.
Abstract
The National Vulnerability Database (NVD) is a major vulnerability database that is free to use for everyone. It provides information about vulnerabilities and further useful resources such as linked advisories and patches. The NVD is often considered as the central source for vulnerability information and as a help to improve the resource-intensive process of vulnerability management. Although the NVD receives much public attention, little is known about its usage in vulnerability management, users' attitudes towards it and whether they encounter any problems during usage. We explored these questions using a preliminary interview study with seven people, and a follow-up survey with 71 participants. The results show that the NVD is consulted regularly and often aids decision making. Generally, users are positive about the NVD and perceive it as a helpful, clearly structured tool. But users also faced issues: missing or incorrect entries, incomplete descriptions or incomprehensible CVSS ratings. In order to identify the problems origins, we discussed the results with two senior NVD members. Many of the problems can be attributed to higher-level problems such as the CVE List or limited resources. Nevertheless, the NVD is working on improving existing problems.