[BreachExchange] The CVE Gap Widens

Destry Winant destry at riskbasedsecurity.com
Tue Nov 26 09:57:46 EST 2019


https://www.riskbasedsecurity.com/2019/11/25/the-cve-gap-widens/

Today, we released our Q3 2019 Vulnerability QuickView Report which
highlights the trends occurring within the computer vulnerability
disclosure landscape. Risk Based Security’s VulnDB team aggregated
16,738 newly-disclosed vulnerabilities during the first three quarters
of 2019 which surpassed CVE/NVD by 5,970 during the same period.

“As the VulnDB team continues to monitor vulnerability disclosure
sources, we are continuously improving our processes as we work
closely with customers to better understand their needs.

The trends presented in the previous report continue as usual.
However, we are starting to see a disturbing development regarding
vulnerabilities that could pose a significant problem for
organizations that rely on CVE/NVD data.”

Brian Martin, Vice President of Vulnerability Intelligence, RBS

That development is highlighted in the Q3 2019 Vulnerability QuickView
Report which covers vulnerabilities disclosed between January 1st and
September 30th , 2019. A key finding is that of the aggregated
vulnerabilities compiled by the VulnDB team, 15% of 2019
vulnerabilities with a CVE ID were in RESERVED status, providing no
information to consumers.

In addition, there is an alarming number of vulnerabilities that have
been disclosed without a CVE ID, and missing from the CVE database.
Analysis shows that organizations that rely on CVE data will be unable
to see almost 7,000 vulnerabilities this year.

“Relying on researchers and vendors to take the initiative to notify
CVE is not a model that works in favor of CVE consumers. Even worse,
the severity of some of these issues is High and Critical.

In reality, this isn’t too big of a shock. Even high-profile
vulnerabilities like the Chrome zero-day exploit are still in RESERVED
status even though a solution has been made available. Despite the
urgency and existence of a public exploit, CVE instead pushed out
assignments from issues disclosed in 2012.

We’ve updated VulnDB on our end as soon as the information was
disclosed. This is simply unacceptable for any organization that
requires proper vulnerability intelligence, yet still relies on
CVE/NVD.”

Brian Martin, Vice President of Vulnerability Intelligence, RBS

Download your free copy of the report today to learn more about the
vulnerability trends and statistics unfolding in 2019.

Get your copy of the Q3 2019 Vulnerability QuickView Report

About the QuickView Report and VulnDB

The quarterly Vulnerability QuickView report is a service of VulnDB,
which is the world’s most comprehensive, detailed and timely source of
vulnerability intelligence and third-party library monitoring.

It provides actionable intelligence about the latest in security
vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and
e-mail alerting. Leveraging VulnDB is simpler than ever with our
connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity,
Brinqa, Device42, Recorded Future, and more.


More information about the BreachExchange mailing list