NVD · Rate Limits

Nvd Rate Limits

NVD enforces rolling 30-second windows. Without an API key, clients are limited to 5 requests per 30 seconds; with a free API key, 50 requests per 30 seconds. NVD recommends sleeping 6 seconds between requests to stay below the threshold. Limits are per public IP (anonymous) or per API key. Exceeding the threshold returns 403 with a temporary block.

Nvd Rate Limits is the machine-readable rate-limit profile for NVD on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 2 rate-limit definitions, measuring requests_per_30s.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and serviceUnavailable.

Tagged areas include Security, CVE, CPE, Vulnerability, and CVSS.

2 Limits Throttle: 403
SecurityCVECPEVulnerabilityCVSSRate Limiting

Limits

Anonymous (no API key) IP
requests_per_30s · 30 seconds
5
Rolling 30-second window across all NVD endpoints.
With API Key api-key
requests_per_30s · 30 seconds
50
Rolling 30-second window. Pass the key via the apiKey query parameter or X-API-KEY header.

Policies

Recommended sleep interval
NVD recommends sleeping at least 6 seconds between requests to stay safely under the rolling 30-second window.
Backoff
On throttling (403), pause and resume after the rolling window resets. Implement exponential backoff for repeated throttle responses.
Pagination
Use the resultsPerPage and startIndex parameters (max 2000 for CVEs, 10000 for CPEs) to retrieve large result sets within the rate limit.
Terms of use
Use of NVD data is subject to the NVD Terms of Use; commercial use is permitted with attribution.

Sources