Change Timeline
Update: The retirement timeline has been extended for the Legacy Data Feed Files until further notice.
To better serve increasing requests from a growing user base the NVD is modernizing
its support for web-based automation. The NVD plans to retire its
legacy data feeds while guiding any remaining users to updated application programming
interfaces. APIs have many benefits over data feeds and have been the proven and preferred
approach to web-based automation for over a decade.
In September 2022 the NVD released its 2.0 APIs in an open beta. During the open beta period the APIs may have contained some bugs and any changes made to the schema did not affect versioning. In January 2023, the 2.0 APIs exited the open beta period. Future changes to the structure of the API schemas will affect versioning. In December 2023, the NVD plans to retire the 1.0 APIs. The 2.0 APIs will include new URI paths so that existing automated processes may continue without interruption until users have transitioned to the new service.
Timeline
October 2021 | The NVD released API keys. |
March 2022 | The NVD announced the enforcement of API rate limits for users without an API key. |
July 2022 | The NVD announced its 2.0 APIs are in development. The NVD announced that 12 months after the release of the 2.0 APIs it will retire its legacy data feeds and the 1.0 APIs. |
September 2022 | The NVD released the 2.0 APIs in an open beta. The 2.0 APIs included all the functionality of the 1.0 APIs plus new features and improved performance. New users were advised to start with the 2.0 APIs. Existing users were advised to prepare for their transition to the 2.0 APIs. |
November 2022 | The NVD released a new API endpoint for CVE Histories in an open beta. |
January 2023 | The 2.0 APIs have exited the open beta period, deprecating the 1.0 APIs. While deprecated the 1.0 APIs will not receive updates or product support. All new and existing users must transition to the 2.0 APIs. |
March 2023 | |
September 2023 | |
October 2023 | The NVD plans to retire the RSS data feeds and the webpages intended to support web scraping (e.g., Full Listings) before the APIs existed. |
December 2023 | The NVD will retire all 1.0 APIs on December 18th. |
2024 | The NVD will retire the Legacy Data Feed Files once improvements for bulk download capabilities of the NVD dataset are implemented. |
Actions You Must Take
All new users, as well as existing users whose workflows include web scraping tools, the legacy data feeds, or the 1.0 APIs, must transition to the 2.0 APIs to continue to get NVD data without interruption.
Actions You Should Take
All new and existing users should read the User Workflows outline and the Transition Guide.
API Versioning
The NVD anticipates new approaches to structuring vulnerability records and describing the severity of vulnerabilities will be released in the next two years. The NVD expects the CVE Program to release CVEv5 in 2023 and for FIRST to release CVSSv4 sometime afterwards. Following each release there will be a period of time where the NVD is incorporating and testing the changes to each model. During this time the new models will be public, but not yet visible on the NVD website or its APIs. The NVD plans to release a new version of an API whenever a new model has been incorporated into an API schema. Whenever a new version of an API is released there will be a period of time when it runs in parallel with an existing API.
Semantic versioning allows for the NVD and its users to track what changes have been made to
the API and when the changes occurred. Major version changes may modify URI paths and will likely
include changes to the API schema.
It is recommended that developers using the NVD API opt into the
NVD News Google Group
to stay up to date with all API changes.
Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov