{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T21:47:45Z","timestamp":1776116865397,"version":"3.50.1"},"reference-count":36,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"German Federal Ministry of Education and Research","award":["16KIS1271K"],"award-info":[{"award-number":["16KIS1271K"]}]},{"name":"Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) as part of the Research and Training Group 2475 \u201cCybercrime and Forensic Computing\u201d","award":["393541319\/GRK2475\/2-2024"],"award-info":[{"award-number":["393541319\/GRK2475\/2-2024"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2024,9,30]]},"abstract":"<jats:p>The National Vulnerability Database (NVD) is a major vulnerability database that is free to use for everyone. It provides information about vulnerabilities and further useful resources such as linked advisories and patches. The NVD is often considered as the central source for vulnerability information and as a help to improve the resource-intensive process of vulnerability management. Although the NVD receives much public attention, little is known about its usage in vulnerability management, users\u2019 attitudes toward it and whether they encounter any problems during usage. We explored these questions using a preliminary interview study with seven people, and a follow-up survey with 71 participants. The results show that the NVD is consulted regularly and often aids decision making. Generally, users are positive about the NVD and perceive it as a helpful, clearly structured tool. But users also faced issues: missing or incorrect entries, incomplete descriptions or incomprehensible CVSS ratings. In order to identify the problems origins, we discussed the results with two senior NVD members. Many of the problems can be attributed to higher-level problems such as the CVE List or limited resources. Nevertheless, the NVD is working on improving existing problems.<\/jats:p>","DOI":"10.1145\/3688806","type":"journal-article","created":{"date-parts":[[2024,8,21]],"date-time":"2024-08-21T23:23:18Z","timestamp":1724282598000},"page":"1-19","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["On NVD Users\u2019 Attitudes, Experiences, Hopes, and Hurdles"],"prefix":"10.1145","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-6545-7513","authenticated-orcid":false,"given":"Julia","family":"Wunder","sequence":"first","affiliation":[{"name":"IT Security Infrastructures Lab, Friedrich-Alexander Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-5231-3772","authenticated-orcid":false,"given":"Alan","family":"Corona","sequence":"additional","affiliation":[{"name":"IT Security Infrastructures Lab, Friedrich-Alexander Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5397-1685","authenticated-orcid":false,"given":"Andreas","family":"Hammer","sequence":"additional","affiliation":[{"name":"IT Security Infrastructures Lab, Friedrich-Alexander Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7158-0219","authenticated-orcid":false,"given":"Zinaida","family":"Benenson","sequence":"additional","affiliation":[{"name":"IT Security Infrastructures Lab, Friedrich-Alexander Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,10,26]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09797-4"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3125270"},{"key":"e_1_3_2_4_2","unstructured":"Internet Archive. 2024. PURL Help. Retrieved March 2024 from https:\/\/purl.archive.org\/help"},{"key":"e_1_3_2_5_2","unstructured":"CISA. 2024. Criterias of the KEV Catalog. Retrieved March 2024 from https:\/\/www.cisa.gov\/known-exploited-vulnerabilities"},{"key":"e_1_3_2_6_2","volume-title":"Statistical Power Analysis for the Behavioral Sciences","author":"Cohen Jacob","year":"1977","unstructured":"Jacob Cohen. 1977. Statistical Power Analysis for the Behavioral Sciences. Lawrence Erlbaum Associates."},{"key":"e_1_3_2_7_2","unstructured":"The MITRE Corporation. 2024. About CWE. Retrieved March 2024 from https:\/\/cwe.mitre.org\/about\/index.html"},{"key":"e_1_3_2_8_2","unstructured":"The MITRE Corporation. 2024. CVE FAQs. Retrieved March 2024 from https:\/\/www.cve.org\/ResourcesSupport\/FAQs"},{"key":"e_1_3_2_9_2","unstructured":"The MITRE Corporation. 2024. CVE ID Syntax. Retrieved March 2024 from https:\/\/cve.mitre.org\/cve\/identifiers\/syntaxchange.html"},{"key":"e_1_3_2_10_2","unstructured":"The MITRE Corporation. 2024. Requirements of a CVE Record. Retrieved March 2024 from https:\/\/www.cve.org\/ResourcesSupport\/AllResources\/CNARules#section_8_cve_record_requirements"},{"key":"e_1_3_2_11_2","unstructured":"The MITRE Corporation. 2024. The History of MITRE. Retrieved March 2024 from https:\/\/www.mitre.org\/who-we-are\/our-story"},{"key":"e_1_3_2_12_2","unstructured":"The MITRE Corporation. 2024. The History of the CVE Program. Retrieved March 2024 from https:\/\/www.cve.org\/About\/History"},{"key":"e_1_3_2_13_2","unstructured":"The MITRE Corporation. 2024. The Lifecycle of a CVE Record. Retrieved March 2024 from https:\/\/www.cve.org\/About\/Process"},{"key":"e_1_3_2_14_2","first-page":"869","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security \u201919)","author":"Dong Ying","year":"2019","unstructured":"Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In Proceedings of the 28th USENIX Security Symposium (USENIX Security \u201919). USENIX Association, Santa Clara, CA, 869\u2013885."},{"key":"e_1_3_2_15_2","unstructured":"FIRST. 2024. CVSS Specification. Retrieved March 2024 from https:\/\/www.first.org\/cvss\/specification-document"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.23919\/CISTI54924.2022.9820232"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3498537"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3465481.3465744"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.2307\/2529310"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359174"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-68887-5_2"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-33-4706-9_7"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484377"},{"key":"e_1_3_2_24_2","unstructured":"NIST. 2024. About NIST. Retrieved March 2024 from https:\/\/www.nist.gov\/about-nist"},{"key":"e_1_3_2_25_2","unstructured":"NIST. 2024. CPE Specification. Retrieved March 2024 from https:\/\/csrc.nist.gov\/projects\/security-content-automation-protocol\/specifications\/cpe"},{"key":"e_1_3_2_26_2","unstructured":"NIST. 2024. Details About Vulnerability Records of the NVD. Retrieved March 2024 from https:\/\/nvd.nist.gov\/vuln\/vulnerability-detail-pages"},{"key":"e_1_3_2_27_2","unstructured":"NIST. 2024. From the CVE list to the NVD. Retrieved March 2024 from https:\/\/nvd.nist.gov\/general\/cve-process"},{"key":"e_1_3_2_28_2","unstructured":"NIST. 2024. History of the NVD. Retrieved March 2024 from https:\/\/nvd.nist.gov\/general\/brief-history"},{"key":"e_1_3_2_29_2","unstructured":"NIST. 2024. NVD Program Announcement. Retrieved April 2024 from https:\/\/nvd.nist.gov\/general\/news\/nvd-program-transition-announcement"},{"key":"e_1_3_2_30_2","unstructured":"NTIA. 2024. SBOM at a Glance. Retrieved March 2024 from https:\/\/www.ntia.gov\/sites\/default\/files\/publications\/sbom_at_a_glance_apr2021_0.pdf"},{"key":"e_1_3_2_31_2","volume-title":"Anais do I Workshop de Seguran\u00e7a Cibern\u00e9tica em Dispositivos Conectados","author":"Rodriguez Luis Gustavo Araujo","year":"2018","unstructured":"Luis Gustavo Araujo Rodriguez, Julia Selvatici Trazzi, Victor Fossaluza, Rodrigo Campiolo, and Daniel Mac\u00eado Batista. 2018. Analysis of vulnerability disclosure delays from the national vulnerability database. In Anais do I Workshop de Seguran\u00e7a Cibern\u00e9tica em Dispositivos Conectados. SBC, Porto Alegre, RS, Brasil. Retrieved from https:\/\/sol.sbc.org.br\/index.php\/wscdc\/article\/view\/2394"},{"key":"e_1_3_2_32_2","volume-title":"Towards Improving CVSS","author":"Spring J. M.","year":"2018","unstructured":"J. M. Spring, E. Hatleback, A. Householder, A. Manion, and D. Shick. 2018. Towards Improving CVSS. Software Engineering Institute, Carnegie Mellon University."},{"key":"e_1_3_2_33_2","unstructured":"Statista. 2024. Number of Common IT Security Vulnerabilities and Exposures (CVEs) Worldwide from 2009 to 2024 YTD. Retrieved April 2024 from https:\/\/www.statista.com\/statistics\/500755\/worldwide-common-vulnerabilities-and-exposures\/"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2018.8622299"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00058"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2895963"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23088-2_15"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3688806","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3688806","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:04:09Z","timestamp":1750291449000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3688806"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":36,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,9,30]]}},"alternative-id":["10.1145\/3688806"],"URL":"https:\/\/doi.org\/10.1145\/3688806","relation":{},"ISSN":["2576-5337"],"issn-type":[{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-04-20","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-10-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}