On NVD Users' Attitudes, Experiences, Hopes and Hurdles

TL;DR

This study investigates how users interact with the NVD, revealing positive attitudes but also highlighting issues like data inaccuracies and rating incomprehensibility, with insights from user surveys and expert discussions.

Contribution

It provides empirical insights into NVD users' attitudes, experiences, and challenges, and discusses potential causes and ongoing improvements.

Findings

NVD is regularly used and aids decision-making.

Users perceive NVD as helpful and well-structured.

Users face issues like missing data and confusing ratings.

Abstract

The National Vulnerability Database (NVD) is a major vulnerability database that is free to use for everyone. It provides information about vulnerabilities and further useful resources such as linked advisories and patches. The NVD is often considered as the central source for vulnerability information and as a help to improve the resource-intensive process of vulnerability management. Although the NVD receives much public attention, little is known about its usage in vulnerability management, users' attitudes towards it and whether they encounter any problems during usage. We explored these questions using a preliminary interview study with seven people, and a follow-up survey with 71 participants. The results show that the NVD is consulted regularly and often aids decision making. Generally, users are positive about the NVD and perceive it as a helpful, clearly structured tool. But users also faced issues: missing or incorrect entries, incomplete descriptions or incomprehensible CVSS ratings. In order to identify the problems origins, we discussed the results with two senior NVD members. Many of the problems can be attributed to higher-level problems such as the CVE List or limited resources. Nevertheless, the NVD is working on improving existing problems.