This session will explore the challenges posed by unenriched CVEs in the National Vulnerability Database (NVD), which has left over 18,000 CVEs without proper CPE identifiers since February 2024. These unenriched reports severely limit automated vulnerability management as they remain invisible to CPE-based searches. With contractors historically managing NVD enrichment and the backlog growing monthly, organizations relying on CVE-based vulnerability databases face significant gaps in visibility. 

We’ll discuss strategies to compensate for these gaps and the potential of alternative identifiers, like purl, in addressing these issues, particularly in the open-source ecosystem.