2015, A Record Year For Vulnerabilities
March 15, 2016 • RBS
2015 sets all time high for the number of disclosed vulnerabilities, according to Risk Based Security We are pleased to release our VulnDB QuickView report that shows 2015 broke the previous all-time record for the highest number of reported vulnerabilities. The 14,185 vulnerabilities cataloged during 2015 by Risk Based Security eclipsed the total covered by the National Vulnerability Database (NVD) and CVE by over 6,000.
“If I were a security professional relying on NVD/CVE to alert me to vulnerabilities that may impact my organization’s network, I wouldn’t be sleeping very well.” said Barry Kouns, CEO of Risk Based Security. “Of the 6,062 vulnerabilities not found in NVD/CVE, over 1,300 received CVSS scores between 9.0 and 10.0.”
Risk Based Security’s newly released 2015 Year End VulnDB QuickView report shows that 20.5% of reported vulnerabilities received CVSS scores between 9.0 and 10.0 and the number of vulnerabilities and the CVSS scores are both trending higher over the last four years. It comes as no real surprise that Web-related vulnerabilities account for nearly 60% of the total reported in 2015 and Cross-site scripting (XSS) making up 39% of those.
The VulnDB QuickView report also revealed that vulnerabilities disclosed in a coordinated fashion with the vendor rose to 42% in 2015 compared to 28% in 2014, the previous record. Another interesting fact in the report is that third-party Bug Bounty programs outpaced Vendor managed bounty programs 4:1 in 2015, when details were made available to the public.
“Our research suggests that performing vulnerability assessments and patching your systems with a sense of urgency is more important now than ever before, but you also need to understand the quality and timeliness of the vulnerability intelligence used in the assessment software”, says Kouns. “Vulnerability scanners, firewalls, and intrusion prevention systems (IPS) built using NVD/CVE will do less than 60% of the job required for what is considered the baseline security.”
About the Data Breach QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2015. Contact Risk Based Security for any specific analysis of the 2015 vulnerabilities. You can get your copy of 2015 VulnDB QuickView report by clicking the link.
About Risk Based Security, Inc.
Risk Based Security is a leading-edge security and threat intelligence company. We provide the most timely, highest quality and most fully comprehensive vulnerability and data breach intelligence services available. Data intelligence is the basis for our project and information security services including ISO/IEC 27001, SDL and our YourCISO service.