The National Vulnerability Database plays a vital role in the CVE publication process that many people may overlook or not know they are responsible for. After MITRE publishes a CVE, the NVD enriches it with data points that make it actionable by security companies and professionals.
I was recently asked how long, on average, it takes NVD to complete its initial analysis. I looked around for a bit and couldn’t find the information, so I built this jupyter notebook to find out using the NVD Change History API and the very helpful
filter the API provides.
After running the notebook for all CVEs published between January 1st, 2022, and November 15th, 2022, the average analysis time takes 5 days 22:14:22 (the Standard Deviation is 3 days 15:42:25). I will leave it to the math geeks to decide which number is more valuable, but either number is excellent considering the growth of CVEs.
Since everyone loves a good visualization, here is a quick graph (and code) of the analysis timing.
Note: The notebook is not the fastest, and with the API rate limiting, it took just over 7 hours to run the 22,619 requests. If you are interested in looking at the data, it is all here in a CSV.