Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updated

The world’s most widely used vulnerability index – the Common Vulnerabilities and Exposures (CVE) system – is failing, with scores often inaccurate and appearing too late.

According to research from DevSecOps firm Sonatype, of the 1,552 open source vulnerabilities disclosed in 2025, 64% lacked severity scores from the National Vulnerability Database (NVD).

Only 36% of open source CVEs had a CVSS score assigned by the NVD, while nearly half of all unscored vulnerabilities were rated ‘Critical’ or ‘High’ in severity.

Over this year, there's been a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks.

This, researchers warned, is creating an operational bottleneck and placing enterprises globally at risk.

"In an era where exploit proofs-of-concept appear within hours and patches land within days, such lag times make 'official' data functionally irrelevant. By the time NVD assigns a score, attackers have already exploited and moved on," researchers noted.

CVE ratings are missing the mark

Meanwhile, Sonatype found the ratings themselves are often unreliable. Of the CVEs that were scored, fewer than one-in-five severity ratings were correct.

In 62% of cases, the severity of NVD scores was overstated, while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records, thereby wasting developer time and obscuring real threats.

Of the CVEs that changed severity category after Sonatype analysis, 83% moved to a lower category.

“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and co-founder of Sonatype.

“Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment.

“CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”

CVE data is vital in combating cyber crime

CVE data is fundamental to the vast majority of cybersecurity decisions. But in 2024, between February and May, NVD simply stopped scoring most new CVEs as it awaited contract renewal.

By May, 93% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck. Since then, Sonatype said NVD has failed to return to its earlier levels of research output.

The researchers note that both NVD and the Mitre Corporation have made improvements to the system over the last eighteen months – but more needs to be done.

"With the current MITRE–US government contract set to expire in March 2026, the coming year marks a pivotal moment to reassess how the CVE program operates — and whether its next phase will modernize to meet the realities of today’s software ecosystem," they noted.

"This is the window to ask harder questions, test alternatives, and ensure the next iteration of vulnerability intelligence serves defenders, not legacy processes."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

• Threat actors are exploiting flaws more quickly – here's what business leaders should do
• Patch management vs vulnerability management
• AI-generated code is now the cause of one-in-five breaches