Update: The retirement timeline has been extended for the Legacy Data Feed Files until further notice.
To better serve increasing requests from a growing user base the NVD is modernizing its support for web-based automation. The NVD plans to retire its legacy data feeds while guiding any remaining users to updated application programming interfaces. APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade.
In September 2022 the NVD released its 2.0 APIs in an open beta. During the open beta period the APIs may have contained some bugs and any changes made to the schema did not affect versioning. In January 2023, the 2.0 APIs exited the open beta period. Future changes to the structure of the API schemas will affect versioning. In December 2023, the NVD plans to retire the 1.0 APIs. The 2.0 APIs will include new URI paths so that existing automated processes may continue without interruption until users have transitioned to the new service.
|The NVD released API keys.
|The NVD announced the enforcement of API rate limits for users without an API key.
|The NVD announced its 2.0 APIs are in development. The NVD announced that 12 months after the release of the 2.0 APIs it will retire its legacy data feeds and the 1.0 APIs.
|The NVD released the 2.0 APIs in an open beta. The 2.0 APIs included all the functionality of the 1.0 APIs plus new features and improved performance. New users were advised to start with the 2.0 APIs. Existing users were advised to prepare for their transition to the 2.0 APIs.
|The NVD released a new API endpoint for CVE Histories in an open beta.
|The 2.0 APIs have exited the open beta period, deprecating the 1.0 APIs. While deprecated the 1.0 APIs will not receive updates or product support. All new and existing users must transition to the 2.0 APIs.
|The NVD plans to retire the RSS data feeds and the webpages intended to support web scraping (e.g., Full Listings) before the APIs existed.
|The NVD will retire all 1.0 APIs on December 18th.
|The NVD will retire the Legacy Data Feed Files once improvements for bulk download capabilities of the NVD dataset are implemented.
Actions You Must Take
All new users, as well as existing users whose workflows include web scraping tools, the legacy data feeds, or the 1.0 APIs, must transition to the 2.0 APIs to continue to get NVD data without interruption.
Actions You Should Take
The NVD anticipates new approaches to structuring vulnerability records and describing the severity of vulnerabilities will be released in the next two years. The NVD expects the CVE Program to release CVEv5 in 2023 and for FIRST to release CVSSv4 sometime afterwards. Following each release there will be a period of time where the NVD is incorporating and testing the changes to each model. During this time the new models will be public, but not yet visible on the NVD website or its APIs. The NVD plans to release a new version of an API whenever a new model has been incorporated into an API schema. Whenever a new version of an API is released there will be a period of time when it runs in parallel with an existing API.
Semantic versioning allows for the NVD and its users to track what changes have been made to
the API and when the changes occurred. Major version changes may modify URI paths and will likely
include changes to the API schema.
It is recommended that developers using the NVD API opt into the NVD News Google Group to stay up to date with all API changes.
Questions, comments, or concerns may be shared with the NVD by emailing email@example.com