Over 11,092 Newly-Disclosed Vulnerabilities Aggregated and Analyzed by RBS
August 23, 2019 • RBS
One of the fundamental objectives of our VulnDB service is to continually expand our search processes in order to collect as many vulnerabilities as possible and provide our clients with the most comprehensive vulnerability intelligence available. As we collect and publish vulnerability data we consciously benchmark ourselves against other resources to ensure we are accomplishing that objective.
|IN THE NEWS|
|TechRepublic||Cybersecurity alert: 34% of vulnerabilities found this year remain unpatched|
|Help Net Security||Five vendors accounted for 24.1% of vulnerabilities in 2019 so far|
What We’ve Learned
Overall, in the world of vulnerability disclosures, 2019 has presented few surprises. The number of vulnerabilities disclosed this year has been steady yet high throughout 2019, with data indicating that the total number of vulnerabilities disclosed in 2019 is likely to exceed the corresponding number from 2018. Researchers are looking at new technologies to assess security weaknesses, and in response, vendors are patching an incredible number of issues (Adobe disclosed 86 in their May release alone).
In the midst of this, the VulnDB team has continued to work with our customers to understand their third-party dependencies and broaden our coverage correspondingly. As we’ve done so, it has become increasingly obvious that CVE/NVD is falling further and further behind in providing comprehensive vulnerability coverage. Our VulnDB team published 4,332 more vulnerabilities than CVE/NVD in the first half of 2019 alone, highlighting the differences between a true vulnerability research and intelligence service versus a process that is charged primarily with assigning IDs to vendor-reported vulnerabilities.
“8.6% OF VULNERABILITIES ASSIGNED A CVE ID IN THE FIRST HALF OF 2019 ARE STILL IN RESERVED STATUS.”
One of the key issues with the CVE/NVD approach to vulnerability aggregation is the number of CVE IDs that are in RESERVED status. There are thousands of cases of where an ID is assigned but no information is available from MITRE.
Despite this, some of those vulnerabilities in RESERVED status actually have a public disclosure. As such, that information can be found with complete detail in VulnDB.
Some of these vulnerabilities have been in RESERVED status for up to a decade even though the details have long been available. This is clearly inadequate, and it’s disappointing that many organizations, security companies, and scanning vendors continue to defend their decision to use CVE/NVD, claiming that it is “good enough” despite understanding full well its coverage issues.
Make sure to request your free copy of our report for a full analysis on the 2019 mid-year vulnerability landscape.
About the QuickView Report and VulnDB
The quarterly Vulnerability QuickView report is a service of VulnDB, which is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-party library monitoring.
It provides actionable intelligence about the latest in security vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.