NVD · Rate Limits

Nvd Rate Limits

NVD enforces rolling 30-second windows. Without an API key, clients are limited to 5 requests per 30 seconds; with a free API key, 50 requests per 30 seconds. NVD recommends sleeping 6 seconds between requests to stay below the threshold. Limits are per public IP (anonymous) or per API key. Exceeding the threshold returns 403 with a temporary block.

2 Limits Throttle: 403

SecurityCVECPEVulnerabilityCVSSRate Limiting

Limits

Anonymous (no API key) IP

requests_per_30s · 30 seconds

Rolling 30-second window across all NVD endpoints.

With API Key api-key

requests_per_30s · 30 seconds

Rolling 30-second window. Pass the key via the apiKey query parameter or X-API-KEY header.

Policies

Recommended sleep interval

NVD recommends sleeping at least 6 seconds between requests to stay safely under the rolling 30-second window.

Backoff

On throttling (403), pause and resume after the rolling window resets. Implement exponential backoff for repeated throttle responses.

Pagination

Use the resultsPerPage and startIndex parameters (max 2000 for CVEs, 10000 for CPEs) to retrieve large result sets within the rate limit.

Use of NVD data is subject to the NVD Terms of Use; commercial use is permitted with attribution.

Nvd Rate Limits

Limits

Policies

Sources