2022-23 Change Timeline
Edit: The retirement timeline has been extended from September to December 15th, 2023.
To better serve increasing requests from a growing user base the NVD is modernizing its support for web-based automation. In September 2023, the NVD plans to retire its legacy data feeds while guiding any remaining users to updated application programming interfaces. APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade.
In September 2022 the NVD released its 2.0 APIs in an open beta. During the open beta period the APIs may have contained some bugs and any changes made to the schema did not affect versioning. In January 2023, the 2.0 APIs exited the open beta period. Future changes to the structure of the API schemas will affect versioning. In September 2023, the NVD plans to retire all legacy data feeds and the 1.0 APIs. The 2.0 APIs will include new URI paths so that existing automated processes may continue without interruption until users have transitioned to the new service.
|October 2021||The NVD released API keys.|
|March 2022||The NVD announced the enforcement of API rate limits for users without an API key.|
|July 2022||The NVD announced its 2.0 APIs are in development. The NVD announced that 12 months after the release of the 2.0 APIs it will retire its legacy data feeds and the 1.0 APIs.|
|September 2022||The NVD released the 2.0 APIs in an open beta. The 2.0 APIs included all the functionality of the 1.0 APIs plus new features and improved performance. New users were advised to start with the 2.0 APIs. Existing users were advised to prepare for their transition to the 2.0 APIs.|
|November 2022||The NVD released a new API endpoint for CVE Histories in an open beta.|
|January 2023||The 2.0 APIs have exited the open beta period, deprecating the 1.0 APIs. While deprecated the 1.0 APIs will not receive updates or product support. All new and existing users must transition to the 2.0 APIs.|
|March 2023||The NVD plans to retire the RSS data feeds. The NVD plans to enable reCAPTCHA across all webpages and to retire webpages intended to support web scraping (e.g., Full Listings) before its APIs existed.|
|December 2023||The NVD plans to retire the remaining legacy data feeds as well as all 1.0 APIs on December 15th.|
Actions You Must Take
All new users, as well as existing users whose workflows include web scraping tools, the legacy data feeds, or the 1.0 APIs, must transition to the 2.0 APIs to continue to get NVD data without interruption.
Actions You Should Take
The NVD anticipates new approaches to structuring vulnerability records and describing the severity of vulnerabilities will be released in the next two years. The NVD expects the CVE Program to release CVEv5 in 2023 and for FIRST to release CVSSv4 sometime afterwards. Following each release there will be a period of time where the NVD is incorporating and testing the changes to each model. During this time the new models will be public, but not yet visible on the NVD website or its APIs. The NVD plans to release a new version of an API whenever a new model has been incorporated into an API schema. Whenever a new version of an API is released there will be a period of time when it runs in parallel with an existing API.
Semantic versioning allows for the NVD and its users to track what changes have been made to the API and when the changes occurred. Major version changes may modify URI paths and will likely include changes to the API schema. It is recommended that developers using the NVD API opt into the NVD News Google Group to stay up to date with all API changes.
Questions, comments, or concerns may be shared with the NVD by emailing firstname.lastname@example.org