NIST to Halt Severity Scoring for Lower-Priority Vulnerabilities Amid Surge in Submissions
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — The National Institute of Standards and Technology will cease assigning severity scores to lower-priority cybersecurity vulnerabilities starting in 2026, a move driven by a dramatic increase in submission volumes that has overwhelmed the agency's capacity. The decision marks a significant shift in how the U.S. government catalogs and prioritizes software flaws, potentially altering the landscape for cybersecurity professionals and organizations relying on NIST data.
The agency announced the policy change on April 19, 2026, citing a 263% surge in vulnerability submissions over recent years. The workload continued to accelerate throughout 2026, preventing NIST from maintaining its current pace of evaluation. Under the new protocol, NIST will focus its resources on high-priority threats, leaving lower-risk vulnerabilities without official severity ratings.
NIST manages the National Vulnerability Database (NVD), a critical repository used by federal agencies, private sector companies, and researchers to identify and mitigate security risks. The database has long served as a primary reference for the Common Vulnerabilities and Exposures (CVE) system. The reduction in scoring services is expected to impact how organizations assess risk, particularly for vulnerabilities that were previously categorized as low or moderate severity.
The surge in submissions reflects a broader trend in the cybersecurity industry, where the discovery and reporting of software flaws have increased exponentially. As software systems become more complex and interconnected, the number of potential entry points for attackers has grown, leading to a higher volume of reported issues. NIST officials stated that the agency must prioritize its limited resources to address the most critical threats to national security and infrastructure.
Industry analysts note that the change could create challenges for organizations that rely on NIST scores to make decisions about patching and mitigation. Without official severity ratings for lower-priority vulnerabilities, companies may need to develop their own internal assessment frameworks or rely on third-party vendors for risk evaluation. This shift could lead to inconsistencies in how different organizations prioritize security updates.
The decision has not been without controversy. Some cybersecurity experts argue that even low-priority vulnerabilities can be exploited in specific contexts, and removing official scores may lead to complacency. Others contend that the move is necessary to ensure that high-risk threats receive the attention they require. NIST has not specified a timeline for when the new policy will be fully implemented or how it will communicate the changes to stakeholders.
Questions remain about how the transition will affect the broader cybersecurity ecosystem. Organizations will need to adapt to the new reality, potentially investing more in internal security analysis or seeking alternative sources for vulnerability data. As the volume of submissions continues to rise, the balance between thorough evaluation and resource constraints will remain a critical issue for NIST and the cybersecurity community at large.