Future Changes to the API and Data Feeds
To better serve its growing user base the NVD is modernizing its support for web-based automation. In late 2023, the NVD will retire its data feeds while working to guide any legacy users to updated application-programming interfaces (APIs). APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade.
New CVE and CPE APIs
In late 2022 the NVD will release the 2.0 version of its APIs. These APIs will include new parameters to fetch information previously available only through the NVD data feeds or CVE details web pages, small modifications to existing parameters, and performance improvements.
When the new APIs are released, both APIs will run in tandem with each other until the 1.0 feeds are retired. Approximately 12 months after this release the NVD will retire the 1.0 APIs. The new API will also include a new URI path so that existing automated processes may continue without interruption until users have transitioned to the new service.
The CVE and CPE APIs are the preferred method for staying up to date with the NVD. Approximately 6 months after the release of the 2.0 APIs the NVD will retire all RSS feeds. Approximately 12 months after the release of the 2.0 APIs the NVD will also retire all remaining data feeds. Benefits of the APIs over the data feeds include:
- The APIs are updated as frequently as our website (unlike the traditional feeds which have explicit update intervals)
- The APIs provide search capabilities based on the Advanced search feature of the website
- The APIs provide CVE and CPE based searching capabilities, including the ability to search for single CVE and CPE entries
- The ability to view only the information that has changed since a given date or time
- Simplified methods of identifying CPE matches to Applicability statements
Current data feed users may familiarize themselves with existing APIs by visiting the NVD developers pages.
Enforcement of API rate limits
In October 2021, the NVD announced the availability of API keys and changes to its API rate limits. Users who request and activate a key may include it as a parameter of their request’s URL string.
Beginning immediately, users transmitting requests without a key will see a reduction in the number of requests they can make in a rolling 30 second window. Users transmitting requests that include their API key will see no change in service and may continue to make requests at the current rate. New users may request an API key here.
The National Vulnerability Database Team