NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).
On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of Adobe ColdFusion.
[1][2] In June 2017, threat intel firm Recorded Future revealed that the median lag between a CVE being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability.
[5] In August 2023, the NVD initially marked an integer overflow bug in old versions of cURL as a 9.8 out of 10 critical vulnerability.
cURL lead developer Daniel Stenberg responded by saying this was not a security problem, the bug had been patched nearly 4 years prior, requested the CVE be rejected, and accused NVD of "scaremongering" and "grossly inflating the severity level of issues".