The CVE Gap Widens
November 25, 2019 • RBS
Today, we released our Q3 2019 Vulnerability QuickView Report which highlights the trends occurring within the computer vulnerability disclosure landscape. Risk Based Security’s VulnDB team aggregated 16,738 newly-disclosed vulnerabilities during the first three quarters of 2019 which surpassed CVE/NVD by 5,970 during the same period.
“As the VulnDB team continues to monitor vulnerability disclosure sources, we are continuously improving our processes as we work closely with customers to better understand their needs.
The trends presented in the previous report continue as usual. However, we are starting to see a disturbing development regarding vulnerabilities that could pose a significant problem for organizations that rely on CVE/NVD data.”Brian Martin, Vice President of Vulnerability Intelligence, RBS
That development is highlighted in the Q3 2019 Vulnerability QuickView Report which covers vulnerabilities disclosed between January 1st and September 30th , 2019. A key finding is that of the aggregated vulnerabilities compiled by the VulnDB team, 15% of 2019 vulnerabilities with a CVE ID were in RESERVED status, providing no information to consumers.
In addition, there is an alarming number of vulnerabilities that have been disclosed without a CVE ID, and missing from the CVE database. Analysis shows that organizations that rely on CVE data will be unable to see almost 7,000 vulnerabilities this year.
“Relying on researchers and vendors to take the initiative to notify CVE is not a model that works in favor of CVE consumers. Even worse, the severity of some of these issues is High and Critical.
In reality, this isn’t too big of a shock. Even high-profile vulnerabilities like the Chrome zero-day exploit are still in RESERVED status even though a solution has been made available. Despite the urgency and existence of a public exploit, CVE instead pushed out assignments from issues disclosed in 2012.
We’ve updated VulnDB on our end as soon as the information was disclosed. This is simply unacceptable for any organization that requires proper vulnerability intelligence, yet still relies on CVE/NVD.”Brian Martin, Vice President of Vulnerability Intelligence, RBS
Download your free copy of the report today to learn more about the vulnerability trends and statistics unfolding in 2019.
About the QuickView Report and VulnDB
The quarterly Vulnerability QuickView report is a service of VulnDB, which is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-party library monitoring.
It provides actionable intelligence about the latest in security vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.