U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Change Timeline

Update: The retirement timeline has been extended for the Legacy Data Feed Files until further notice.
To better serve increasing requests from a growing user base the NVD is modernizing its support for web-based automation. The NVD plans to retire its legacy data feeds while guiding any remaining users to updated application programming interfaces. APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade.

In September 2022 the NVD released its 2.0 APIs in an open beta. During the open beta period the APIs may have contained some bugs and any changes made to the schema did not affect versioning. In January 2023, the 2.0 APIs exited the open beta period. Future changes to the structure of the API schemas will affect versioning. In December 2023, the NVD plans to retire the 1.0 APIs. The 2.0 APIs will include new URI paths so that existing automated processes may continue without interruption until users have transitioned to the new service.

Timeline

October 2021 The NVD released API keys.
March 2022 The NVD announced the enforcement of API rate limits for users without an API key.
July 2022 The NVD announced its 2.0 APIs are in development. The NVD announced that 12 months after the release of the 2.0 APIs it will retire its legacy data feeds and the 1.0 APIs.
September 2022 The NVD released the 2.0 APIs in an open beta. The 2.0 APIs included all the functionality of the 1.0 APIs plus new features and improved performance. New users were advised to start with the 2.0 APIs. Existing users were advised to prepare for their transition to the 2.0 APIs.
November 2022 The NVD released a new API endpoint for CVE Histories in an open beta.
January 2023 The 2.0 APIs have exited the open beta period, deprecating the 1.0 APIs. While deprecated the 1.0 APIs will not receive updates or product support. All new and existing users must transition to the 2.0 APIs.
March 2023 The NVD plans to retire the RSS data feeds and the webpages intended to support web scraping (e.g., Full Listings) before the APIs existed.
September 2023 The NVD plans to retire the remaining legacy data feeds as well as all 1.0 APIs.
October 2023 The NVD plans to retire the RSS data feeds and the webpages intended to support web scraping (e.g., Full Listings) before the APIs existed.
December 2023 The NVD will retire all 1.0 APIs on December 18th.
2024 The NVD will retire the Legacy Data Feed Files once improvements for bulk download capabilities of the NVD dataset are implemented.

Actions You Must Take

All new users, as well as existing users whose workflows include web scraping tools, the legacy data feeds, or the 1.0 APIs, must transition to the 2.0 APIs to continue to get NVD data without interruption.

Actions You Should Take

All new and existing users should read the User Workflows outline and the Transition Guide.

API Versioning

The NVD anticipates new approaches to structuring vulnerability records and describing the severity of vulnerabilities will be released in the next two years. The NVD expects the CVE Program to release CVEv5 in 2023 and for FIRST to release CVSSv4 sometime afterwards. Following each release there will be a period of time where the NVD is incorporating and testing the changes to each model. During this time the new models will be public, but not yet visible on the NVD website or its APIs. The NVD plans to release a new version of an API whenever a new model has been incorporated into an API schema. Whenever a new version of an API is released there will be a period of time when it runs in parallel with an existing API.

Semantic versioning allows for the NVD and its users to track what changes have been made to the API and when the changes occurred. Major version changes may modify URI paths and will likely include changes to the API schema.
It is recommended that developers using the NVD API opt into the NVD News Google Group to stay up to date with all API changes.


Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov

Created September 20, 2022 , Updated February 13, 2024