NIST has announced it will no longer enrich all CVEs in the National Vulnerability Database (NVD), instead focusing only on vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog, software used by US federal agencies, and software classified as 'critical.' The agency also announced it will stop providing its own CVSS severity scores, instead showing scores assigned by the CVE-issuing organization. This policy change, effective April 15, 2026, is a response to budget constraints and an explosion in CVE volume (48,000+ in 2025 alone). The move has significant implications for vulnerability management vendors who relied on NVD data, and raises concerns about score manipulation by software vendors. The newsletter also covers numerous other cybersecurity incidents, threat intel reports, new tools, and policy developments.
Table of contents
Risky Bulletin NewsletterApril 17, 2026Risky Business PodcastsBreaches, hacks, and security incidentsGeneral tech and privacyGovernment, politics, and policySponsor sectionArrests, cybercrime, and threat intelMalware technical reportsSponsor sectionAPTs, cyber-espionage, and info-opsVulnerabilities, security research, and bug bountyInfosec industryRisky Business podcastsSort: