What is Vulnrichment?
Last reviewed June 2, 2026
Vulnrichment is CISA's vulnerability enrichment program. CISA acts as an Authorized Data Publisher (ADP) in the CVE Program, which means it adds data to existing CVE records without assigning the IDs. Vulnrichment attaches SSVC decision points, CVSS scores, CWE weakness mappings, and CPE product identifiers to published CVEs, helping defenders triage flaws that the original CNA left without that enrichment.
Vulnrichment in one sentence
Vulnrichment is the name of CISA's program for enriching CVE records with the extra data defenders need to prioritize. CISA runs it in its role as an Authorized Data Publisher (ADP) within the CVE Program, a role that adds data to records but never assigns CVE IDs.
It exists because many CVE records, especially when first published by a CNA, lack the severity, weakness, and product details needed to triage them. Rather than waiting on a single downstream database, CISA enriches records directly inside the CVE data itself.
What Vulnrichment adds
Vulnrichment writes its data into a separate ADP container attached to the CVE record, so the original CNA's content stays intact. The enrichment focuses on the signals that drive prioritization.
- SSVC decision points, such as exploitation status and automatable, to support prioritization decisions.
- CVSS scores and vectors where the CNA did not provide one.
- CWE weakness mappings that classify the root-cause weakness type.
- CPE product identifiers describing which products and versions are affected.
How the ADP role works
In the CVE Program, CNAs assign CVE IDs and write the base record, while an ADP enriches records that already exist. CISA, one of the two Top-Level Roots in the program, uses the ADP mechanism for Vulnrichment. Because the enrichment lives in its own container alongside the CNA's data, consumers can clearly see which fields came from the CNA and which came from CISA.
This is different from the National Vulnerability Database, which historically performed similar enrichment as a separate downstream database. Vulnrichment puts comparable data directly into the CVE record, so tools that read the CVE feed get the enrichment without a second source.
Why Vulnrichment matters
Vulnrichment grew in importance as NVD enrichment slowed and a large backlog of CVEs went unanalyzed. By prioritizing recent and likely-relevant CVEs and attaching SSVC, CVSS, CWE, and CPE data, CISA gives defenders a triage-ready record straight from the authoritative CVE feed.
For prioritization, the SSVC decision points are the standout addition: they encode exploitation and impact judgments that map directly onto a remediation decision, complementing the CVSS and EPSS signals teams already use.
Keep exploring
- CNA vs Root vs ADPWhere the ADP role sits in the CVE Program.
- What is SSVC?The decision framework Vulnrichment data supports.
- What is the NVD?The other major source of CVE enrichment.
- How to prioritize vulnerabilitiesHow enriched signals feed prioritization.
- Browse CNA data sourcesWhere CNA and ADP data originates.
- NVD vs CVEThe CVE List versus the NVD enrichment layer.
Frequently asked questions
- What is Vulnrichment?
- Vulnrichment is CISA's program for enriching CVE records with SSVC decision points, CVSS scores, CWE mappings, and CPE data. CISA does this as an Authorized Data Publisher (ADP) in the CVE Program.
- Does Vulnrichment assign CVE IDs?
- No. As an ADP, CISA only enriches existing CVE records. CVE IDs are assigned by CNAs. Vulnrichment data lives in a separate ADP container attached to the record.
- How is Vulnrichment different from the NVD?
- The NVD is a separate downstream database that enriches CVEs. Vulnrichment writes comparable data, including SSVC, directly into the CVE record itself via CISA's ADP container.
- What does Vulnrichment add that is unique?
- Its SSVC decision points are the distinctive addition, encoding exploitation status and impact to support prioritization decisions, alongside CVSS, CWE, and CPE enrichment.
