February 2, 2021 • RBS

Categories: Security News

UPDATE: The number of vulnerabilities missed by CVE is constantly growing. Check out the VulnDB page for an up-to-date count.

VulnDB has many attributes that set it apart from other vulnerability databases. We have written extensively about some of these including timeliness, historical data, extensive metadata, product ratings, social risk scores and more. One of the things that we at Risk Based Security and our VulnDB team specifically takes pride in is the number of vulnerabilities we have aggregated that do not have a CVE ID. That single number is a simple yet effective way to show just how much more extensive our vulnerability intelligence is, and it is a good bet that your organization is in the dark.

To put it simply.  If your organization has an important asset, let’s name it SquirrelPC, and your vulnerability scanner says there are 10 vulnerabilities in it, your team is only able to react to that information. You may upgrade to the version believed to fix all ten vulnerabilities that you are aware of at the time. But what if, in reality, there are at least 13 vulnerabilities, and you are still vulnerable to three of them? There is no way to know when dealing with limited intelligence!  That is just one of the reasons why you want broad vulnerability coverage for your vulnerability management program, from  a team of industry experts proactively looking for that information. And that is exactly what VulnDB does. We scour thousands of sources every day looking for information you need to make the best risk based decisions.

At the start of 2020, VulnDB included around 72,000 vulnerabilities that did not have a CVE identifier. We add more almost every day during our aggregation efforts. Sometimes that might just be one or two, while other days it may be closer to our average of 22. The biggest single day increase in 2020 was a whopping 95 vulnerabilities that MITRE and the CVE/NVD ecosystem missed. That is a disservice to organizations that use security products that blindly trust CVE/NVD data.

VulnDB has now crossed the milestone of 80,000 aggregated vulnerabilities without a CVE ID, and it’s a mark of pride for our research team. We take vulnerability intelligence seriously and that is one of many ways we know that we’re providing an important service to our clients. Of course, 80,000 is just as arbitrary as 31,337 or 57,923. The reality is that it only takes one missed vulnerability for an organization to have a very bad time, and possibly wind up in Cyber Risk Analytics as the next breached company. But 80k is a nice round number so we celebrated it all the same and will continue to track every vulnerability that we can find!

Hungry for more insights on the Vulnerability landscape? Look out for our 2020 Year End Vulnerability QuickView report, coming mid-February.

See how VulnDB can fuel your vulnerability management program with 80,000 vulnerabilities without CVE.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more