Why We Stopped Trusting a Single Vulnerability Database
SentriKat now fetches CVSS scores from 3 independent sources with automatic fallback. Here's why we built multi-source vulnerability intelligence and what the NVD backlog crisis means for your security posture.
For years, the vulnerability management industry has operated on an implicit assumption: the NIST National Vulnerability Database (NVD) will always be there, always be current, and always be complete.
That assumption broke in 2024.
The NVD backlog crisis
In early 2024, NIST significantly reduced the rate at which it enriched new CVE entries in the NVD. By 2025-2026, approximately 44% of CVEs added to the NVD had no enrichment data — no CVSS score, no CPE product matching, no CWE classification.
For vulnerability management tools that depend exclusively on the NVD for severity scoring and product matching, this created a critical gap: tens of thousands of CVEs sitting in the database with no actionable data attached.
On top of the backlog, the NVD API experiences regular outages, rate limiting, and performance degradation. For a US federal agency facing documented funding instability, this isn’t surprising — but it’s unacceptable for organizations that depend on continuous vulnerability intelligence.
What this means for your security
If your vulnerability scanner relies on a single source for CVSS scores, you’re exposed to:
- Missing severity scores: CVEs with no CVSS score can’t be prioritized. They sit in a gray zone, neither critical nor safe.
- Delayed enrichment: A CVE published today might not get a CVSS score from NVD for weeks or months.
- Complete outages: When the NVD API goes down (which happens regularly), CVSS enrichment stops entirely.
- Regulatory risk: NIS2 Article 12 explicitly mandates European vulnerability databases. Depending solely on a US government API creates sovereignty concerns for EU-regulated organizations.
Our solution: multi-source fallback chain
SentriKat now fetches vulnerability severity scores from three independent sources in a priority-based fallback chain:
| Priority | Source | What it provides |
|---|---|---|
| Primary | NIST NVD API 2.0 | The most complete CVSS enrichment source when available |
| Secondary | CVE.org + CISA Vulnrichment | CVSS scores embedded directly in CVE records by CISA, bypassing NVD entirely |
| Tertiary | ENISA EUVD | The NIS2-mandated European vulnerability database |
If the NVD doesn’t have a CVSS score for a CVE, SentriKat checks CVE.org for CISA-provided enrichment via the Vulnrichment program (ADP containers). If that also lacks data, it falls back to the ENISA European Vulnerability Database.
Every CVSS score carries a cvss_source provenance tag — nvd, cve_org, or euvd — so you always know exactly where the data came from.
ENISA EUVD: the European vulnerability database
The ENISA European Vulnerability Database (EUVD) launched in 2025 as the NIS2-mandated EU vulnerability database. It provides:
- Independent CVSS scoring: Not derived from NVD — ENISA maintains its own severity assessments
- Exploited vulnerabilities list: The European equivalent of CISA KEV, flagging vulnerabilities confirmed as exploited
- European data sovereignty: Data sourced from European infrastructure, not US government APIs
SentriKat integrates the EUVD both as a CVSS fallback source and as an exploited vulnerability feed alongside CISA KEV. This means European-flagged exploited vulnerabilities appear in your dashboard alongside US-sourced KEV entries.
Data source health monitoring
Having multiple sources is only useful if you know when one of them changes. SentriKat now monitors the health of all upstream data sources every 6 hours, detecting:
- Outages: When a source becomes unreachable or times out
- API contract changes: When a source changes its response format (via schema fingerprinting)
- Version changes: When an API updates its version identifier
- Deprecation notices: When a source announces upcoming changes via HTTP headers
When a change is detected, administrators receive an email alert with details about what changed and recommended actions. This gives you time to react before a source change breaks your vulnerability pipeline.
What this means for you
If you’re running SentriKat, the multi-source architecture works transparently. Your CVSS scores come from the best available source, with automatic fallback when one source is unavailable.
For organizations subject to NIS2, DORA, or the Cyber Resilience Act, this also addresses the European data sovereignty requirement — your vulnerability intelligence doesn’t depend on a single US federal agency anymore.
Complete list of data sources
| Source | What it provides | License |
|---|---|---|
| CISA KEV | Exploited vulnerability catalog with deadlines | CC0 |
| NIST NVD | CVSS scores, CPE product data | CVE Terms of Use |
| CVE.org + Vulnrichment | CVE records with CISA CVSS enrichment | CVE-TOU + CC0 |
| ENISA EUVD | EU vulnerability database, exploited vulns | CC-BY-4.0 |
| FIRST EPSS | Exploit probability prediction scores | Free (attribution) |
| OSV.dev | Open-source vulnerability advisories | CC-BY-4.0 / CC0 |
| Red Hat Security | RHEL/CentOS/Rocky fix status | Free API |
| Microsoft MSRC | Windows/Office patch data | Free API |
| Debian Tracker | Debian package fix status | Free |
All sources are free, legally cleared for commercial use, and require only attribution.
Ready to automate your vulnerability management?
Deploy SentriKat on-premises in minutes. Track CISA KEV vulnerabilities, generate NIS2 compliance reports, and protect your infrastructure.
Request a Demo