The database that the world’s security teams depend on to know what to fix — and when — is drowning. What comes next may be more dangerous than the vulnerabilities themselves.
For decades, when a software vulnerability was discovered, a familiar sequence followed. A researcher filed a report. A CVE number was assigned. The National Institute of Standards and Technology enriched that entry with context — severity scores, impact ratings, technical detail — and security teams everywhere used that information to decide what to patch first. The system was imperfect, but it held.
It is no longer holding.
CVE submissions have grown 263% between 2020 and 2025, a volume that has overwhelmed the federal infrastructure designed to process them. NIST, which maintains the National Vulnerability Database, has quietly acknowledged what practitioners have been saying aloud for months: the agency can no longer enrich every vulnerability it receives. Triage — long considered a last resort — is now official policy.
The consequences are arriving faster than most organizations anticipated.
“For years, security teams relied on NVD for vulnerability context to support prioritization decisions,” said Ian Gray, Vice President of Intelligence at Flashpoint. “But that model is under real strain. The result is a widening gap between the volume of vulnerabilities being disclosed and the amount of context defenders have available to evaluate them. That gap doesn’t disappear just because enrichment becomes more selective.”
In plain terms: the system that tells security professionals what is dangerous and how dangerous it is has begun to go dark — selectively, silently, and at precisely the moment when clarity is most needed.
A Crisis of Volume, and of Labor
The numbers compound in troubling ways. FIRST.org, the global body that coordinates vulnerability response, has projected that disclosures in the coming years could reach double the volume recorded in 2025. Meanwhile, the U.S. Bureau of Labor Statistics reported a decline in system administrator jobs last year — the very workforce responsible for acting on the information NVD provides.
Andrew Chipman, GRC Manager at ProCircular, frames the collision starkly. “Volume of new published vulnerabilities vastly outpaces the time allowed for system administrators to fix them,” he said. “Instead of maintaining and patching critical systems, system administrators are buried by projects, bug fixes, and distractions.”
His prescription is blunt: organizations need dedicated maintenance teams, a structural investment that most have never made and fewer are positioned to make now. “Organizations should focus on fixing known exploited vulnerabilities first, critical vulnerabilities second, and everything else after that,” Chipman added — an acknowledgment that comprehensive defense is no longer a realistic ambition.
Shane Fry, Chief Technology Officer at RunSafe Security, sees the NIST announcement as a turning point that the industry can no longer defer. “The announcement is a signal to the industry that the era of waiting for a CVE score before acting has come to an end,” he said. The organizations best positioned to survive this shift, in his view, are those drawing on multiple intelligence sources rather than a single federal database. “Vulnerability visibility is imperfect, but organizations that use a diverse set of vulnerability data sources will have more reliable insight.”
More unsettling still is his warning about the vulnerabilities no database will ever capture. “Organizations need to assume unknown vulnerabilities already exist in their software and deploy protections that can prevent exploitation before a patch — or a CVE score — is ever available.”
The AI Flood No One Planned For
Beneath the structural overload lies a second crisis, newer and, in some respects, more insidious. Artificial intelligence has lowered the barrier to vulnerability hunting so dramatically that the volume of reports being filed has taken on a different character. Many of them are noise.
Jim Sherlock, Vice President of AI and Cybersecurity R&D at ProCircular, describes what has happened to the human beings on the receiving end.
“Now that anyone with access to a frontier model can just point it at a codebase and say, ‘go hunt,’ they’re turning around and slamming maintainers with endless reports, hoping to score some cash, a little clout, or just a pat on the back,” he said. “No maintainer of open-source projects is immune to it.”
The community has a name for it now: Death by a Thousand Slops. It functions, Sherlock explains, as a crude denial-of-service attack — not on a server, but on a developer’s attention and time. The maintainer of curl, one of the internet’s most widely used open-source tools, shuttered his bug bounty program entirely rather than continue processing the deluge. He was not alone.
The implications extend well beyond individual burnout. “Between projects pulling the plug on bounties and federal databases giving up on comprehensive analysis just to survive the backlog, the entire cybersecurity industry is being forced to radically re-engineer how it handles vulnerability reporting in the AI era,” Sherlock said. “All of this while the next class of hyper-capable frontier models is lining up on the tarmac, engines running, ready to flood the zone faster than any human could ever hope to patch.”
What Happens Next
There is no clean resolution on the horizon. The database will not suddenly catch up. The volume will not abate. The workforce will not expand quickly enough.
What is changing is the posture that serious security organizations are beginning to adopt — one that treats the CVE pipeline as one signal among many rather than the definitive authority it once was. Threat intelligence feeds, behavioral monitoring, and assumption-of-breach frameworks are filling the space that NVD can no longer reliably occupy.
The system built to protect the internet is being stress-tested by the very forces — exponential software complexity, AI-generated noise, underfunded infrastructure — that the internet itself produced. Whether it bends or breaks will depend less on what NIST does next and more on whether the organizations that rely on it are willing to stop waiting for a score that may never come.
