U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

Getting Started

All NIST publications are available in the public domain according to Title 17 of the United States Code, however services which utilize or access the NVD are asked to display the following notice prominently within the application: "This product uses data from the NVD API but is not endorsed or certified by the NVD." You may use the NVD name in order to identify the source of the data. You may not use the NVD name, to imply endorsement of any product, service, or entity, not-for-profit, commercial or otherwise.

For information on how to the cite the NVD, including the the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Rate Limits

Requesting an API key allows for users to make a greater number of requests in a given time than they could otherwise. The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window.

Request an API Key

  1. On the API key requests page, enter data into the three fields on the requests form.
  2. Scroll to the bottom of the Terms of Use, and then click the check box marked “I agree to the Terms of Use.”
  3. Check the inbox of the email address provided in the steps above for an email from nvd-noreply@nist.gov.
  4. Activate and view the API Key by opening the single-use hyperlink. Store the API Key in a secure location as the page will no longer be available after it is closed. If your key is not activated within seven days, the single-use hyperlink will expire.

Each API Key is associated with a single email address. If an email address is used to request an additional API key, clicking the single-use hyperlink will invalidate the key previously associated with that email address. The key will not be invalidated if the email address is used to request another key, but the hyperlink is not opened. There is no process for retrieving a forgotten key or confirming whether a key has been requested or activated by any email address.

Best Practices

When properly implemented, the following practices enable users to stay up to date with the latest data with very few requests. Enterprise scale development should enforce these practices through a single requestor to ensure all users are in sync and have the latest CVE and CPE information.

  • The last modified date parameters provide an efficient way to update local databases and stay within the API rate limits. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time. Users do not need to change the default sortBy when making these requests.
  • When making iterative requests for a large number of CVE, such as the initial population of all CVE for a local database, sorting by the modified date may occasionally result in missing CVE. This may happen if new CVE are added during the iterative requests. Sorting by the published date sortOrder=publishDate avoids these errors.
  • If a CVE or CPE has been modified more recently than the period specified by the last modified date parameters it will not be included in the response. Because of this, the use cases for automating recursive requests for static time frames are limited.
  • Each CVE may have a dozen or more CPE associated with them. Including the addOns parameter can return a large amount of data, which in some cases may become truncated. Reducing the resultsPerPage may prevent the data from being truncated.
  • It is recommended that users "sleep" their scripts for six seconds between requests.

Keep Up To Date with the NVD

The process of requesting an API key requires users to provide a valid email address. About twice a year, the NVD may send a user experience survey to any email addresses that have requested an API key. The NVD does not automatically enroll these addresses in any discussion group or mailing list. It is recommended that developers using the NVD API opt into the NVD News Google Group . This group can be a valuable resource for enterprise application developers and novice researchers alike.


Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov