U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

2022-23 Change Timeline

To better serve increasing requests from a growing user base the NVD is modernizing its support for web-based automation. In late 2023, the NVD will retire its legacy data feeds while working to guide any users to updated application programming interfaces (APIs). APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade.

When the 2.0 APIs are released, they will be released in an open beta. In this release the APIs could contain some bugs and changes to the schema will not affect versioning. Any changes to the schema after the APIs leave the open beta will affect versioning. Approximately 12 months after this release the NVD will retire all legacy data feeds and the 1.0 APIs. The 2.0 APIs will include new URI paths so that existing automated processes may continue without interruption until users have transitioned to the new service.

Timeline

October 2021 The NVD released API keys.
March 2022 The NVD announced the enforcement of API rate limits for users without an API key.
July 2022 The NVD announced its 2.0 APIs are in development. The NVD announced that 12 months after the release of the 2.0 APIs it will retire its legacy data feeds and the 1.0 APIs.
September 2022 The NVD plans to release the 2.0 APIs in beta. The 2.0 APIs will include all the functionality of the 1.0 APIs plus new features and improved performance. New users should start with the 2.0 APIs. Existing users should prepare for their transition to the 2.0 APIs.
November 2022 The NVD plans to release a new API endpoint for CVE Histories in beta.
January 2023 The NVD plans for all 2.0 APIs to leave beta and to mark the 1.0 API deprecated. New users should use the 2.0 APIs. All data feed users should transition to the 2.0 APIs.
March 2023 The NVD plans to retire the RSS data feeds. The NVD plans to enable reCAPTCHA across all webpages and to retire webpages intended to support web scraping (e.g., Full Listings) before its APIs existed.
September 2023 The NVD plans to retire the remaining legacy data feeds as well as all 1.0 APIs.

API Versioning

The NVD anticipates new approaches to structuring vulnerability records and describing the severity of vulnerabilities will be released in the next two years. The NVD expects the CVE Program to release CVEv5 in 2023 and for FIRST to release CVSSv4 sometime afterwards. Following each release there will be a period of time where the NVD is incorporating and testing the changes to each model. During this time the new models will be public, but not yet visible on the NVD website or its APIs. The NVD plans to release a new version of an API whenever a new model has been incorporated into an API schema. Whenever a new version of an API is released there will be a period of time when it runs in parallel with an existing API.

Semantic versioning allows for the NVD and its users to track what changes have been made to the API and when the changes occurred. Major version changes may modify URI paths and will likely include changes to the API schema. It is recommended that developers using the NVD API opt into the NVD News Google Group to stay up to date with all API changes.


Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov

Created September 19, 2022, Updated September 19, 2022