[BreachExchange] Five vendors accounted for 24.1% of vulnerabilities in 2019 so far

Destry Winant destry at riskbasedsecurity.com
Tue Aug 27 10:08:19 EDT 2019


Risk Based Security reported today that VulnDB aggregated 11,092
vulnerabilities with disclosure dates during the first half of 2019,
with CVE/NVD falling behind by 4,332 entries, according to their 2019
Mid-Year Vulnerability QuickView Report.

Five major vendors accounted for 24.1% of those vulnerabilities in
2019 so far. Further analysis reveals that 54% of 2019 vulnerabilities
are Web-related, 34% have public exploits, 53% can be exploited
remotely, and that 34% of 2019 vulnerabilities do not have a
documented solution.

“34% of vulnerabilities do not have a solution, which may be because
vendors are not patching. This can occur when the researcher has not
informed the vendor, so they don’t know about the vulnerability,”
commented Brian Martin, Vice President of Vulnerability Intelligence
at Risk Based Security.

“Additionally, if an organization is using vulnerability scanning,
they may simply not know about all of their assets. For example, if
they are not scanning their entire IP space, or are using a scanner
that is unable to identify 100% of their assets, then devices and
servers may go unpatched.”

This strengthens the analysis published in Risk Based Security’s 2019
Mid-Year Data Breach Report, which identified that the practice of
targeting open, unsecured databases has contributed to the growing
amount of records exposed within the last two years.

The report reveals that out of the vulnerabilities not published by
CVE/NVD, 28.2% of them have a CVSSv2 score between 7.0 and 10.
Meanwhile, 8.6% of vulnerabilities that do have a CVE ID are in
RESERVED status despite having a public disclosure.

“An ongoing theme in VulnDB reports is that CVE/NVD continues to fall
short in vulnerability coverage,” commented Brian Martin. “Many
organizations, scanning companies, risk platforms, and security
service providers insist that vulnerability intelligence from CVE/NVD
is ‘good enough’. However, our mindset and approach to vulnerability
aggregation is completely different.” Martin offers the CVE IDs in
RESERVED status as an example of this different mindset. “These are
cases where an ID has been assigned to an issue that was published,
but MITRE isn’t aware. There are thousands of vulnerabilities that we
cover with complete details that MITRE still does not. Worse yet, some
RESERVED vulnerabilities have been in that state for up to a decade,
despite being public for just as long.”

“Overall, in the eight years that RBS has been operating, the
evolution of our own database has been incredible,” concluded Martin.
“One of the most beneficial points of change is collaborating with our
clients to better understand what software is critical to them. As you
can imagine, not all companies are the same! We are thankful to our
clients who take the time to share their stories and needs, so we can
better help them.”

More information about the BreachExchange mailing list