More Than 10,000 Vulnerabilities Disclosed So Far In 2018 – Over 3,000 You May Not Know About
August 13, 2018 • RBS
Risk Based Security today announced the release of its 2018 Mid Year VulnDB QuickView report that shows there have been 10,644 vulnerabilities disclosed through June 30th. This is the highest number of disclosed vulnerabilities at the mid-year point on record. The 10,644 vulnerabilities cataloged during the first half of 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by well over 3,000.
The newly released 2018 mid-year report from Risk Based Security shows that 16.6% of the reported vulnerabilities received CVSSv2 scores between 9.0 and 10.0, which is a drop from previous years. However, the severity of the vulnerabilities disclosed still remains significant, demanding organizations remain vigilant by implementing a comprehensive software vulnerability assessment and management plan.
“An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD, 44.2% have CVSSv2 scores between 7.0 and 10 (High and Critical severity). While other criteria than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher severity vulnerabilities that pose a risk to their assets.” said Carsten Eiram, Chief Research Officer for Risk Based Security. He further commented that details about vulnerabilities are often available in VulnDB significantly earlier than the CVE or NVD databases.
“The task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. Your vulnerability intelligence solution is a cornerstone of your defense strategy. We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization’s continued underrepresentation of identifiable vulnerabilities.” said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.
“While some contend that the CVE/NVD solution is ‘good enough’, the number of data breaches based on hacking points to a different conclusion. In today’s hostile computing environment, with non-stop attacks from around the world, organizations using sub-par vulnerability intelligence are taking on significant risk needlessly” added Martin.
Of the large number of vulnerabilities reported in 2018, 25.6% currently have no known solution. Because of this, patching, while very important, is only a part of modern vulnerability management. In today’s environment, effective vulnerability management must use detailed intelligence to understand and prioritize mitigation actions to address the ever-changing threats.
The VulnDB QuickView report also shows that while relationships between researchers and vendors can be tricky to navigate, they are making strides in cooperation. Vulnerabilities disclosed in a coordinated fashion with vendors remains high at around 48.5%, an improvement from 2017.
About the VulnDB QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ aggregation of vulnerabilities disclosed in 2018. Contact Risk Based Security for a specific analysis of the 2018 vulnerabilities of critical relevance to your organization.
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.