[BreachExchange] Over 11, 092 Newly-Disclosed Vulnerabilities Aggregated and Analyzed by RBS

[Destry Winant]

https://www.riskbasedsecurity.com/2019/08/23/over-11092-newly-disclosed-vulnerabilities-aggregated-and-analyzed-by-rbs/


Today, we released our 2019 Mid-Year Vulnerability QuickView Report,
which summarizes the 11,092 vulnerabilities disclosed during the first
half of 2019 and aggregated by our VulnDB® team.

One of the fundamental objectives of our VulnDB service is to
continually expand our search processes in order to collect as many
vulnerabilities as possible and provide our clients with the most
comprehensive vulnerability intelligence available. As we collect and
publish vulnerability data we consciously benchmark ourselves against
other resources to ensure we are accomplishing that objective.

What We’ve Learned


Overall, in the world of vulnerability disclosures, 2019 has presented
few surprises. The number of vulnerabilities disclosed this year has
been steady yet high throughout 2019, with data indicating that the
total number of vulnerabilities disclosed in 2019 is likely to exceed
the corresponding number from 2018. Researchers are looking at new
technologies to assess security weaknesses, and in response, vendors
are patching an incredible number of issues (Adobe disclosed 86 in
their May release alone).

In the midst of this, the VulnDB team has continued to work with our
customers to understand their third-party dependencies and broaden our
coverage correspondingly.  As we’ve done so, it has become
increasingly obvious that CVE/NVD is falling further and further
behind in providing comprehensive vulnerability coverage. Our VulnDB
team published 4,332 more vulnerabilities than CVE/NVD in the first
half of 2019 alone, highlighting the differences between a true
vulnerability research and intelligence service versus a process that
is charged primarily with assigning IDs to vendor-reported
vulnerabilities.

“8.6% OF VULNERABILITIES ASSIGNED A CVE ID IN THE FIRST HALF OF 2019
ARE STILL IN RESERVED STATUS.”


One of the key issues with the CVE/NVD approach to vulnerability
aggregation is the number of CVE IDs that are in RESERVED status.
There are thousands of cases of where an ID is assigned but no
information is available from MITRE.

Despite this, some of those vulnerabilities in RESERVED status
actually have a public disclosure. As such, that information can be
found with complete detail in VulnDB.

Some of these vulnerabilities have been in RESERVED status for up to a
decade even though the details have long been available. This is
clearly inadequate, and it’s disappointing that many organizations,
security companies, and scanning vendors continue to defend their
decision to use CVE/NVD, claiming that it is “good enough” despite
understanding full well its coverage issues.

Make sure to request your free copy of our report for a full analysis
on the 2019 mid-year vulnerability landscape.

Get your copy of the 2019 Mid-Year Vulnerability QuickView Report

About the QuickView Report and VulnDB

The quarterly Vulnerability QuickView report is a service of VulnDB,
which is the world’s most comprehensive, detailed and timely source of
vulnerability intelligence and third-party library monitoring.

It provides actionable intelligence about the latest in security
vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and
e-mail alerting. Leveraging VulnDB is simpler than ever with our
connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity,
Brinqa, Device42, Recorded Future, and more.