[BreachExchange] CVE gap widens: 16, 738 vulnerabilities disclosed during the first nine months of 2019

Destry Winant destry at riskbasedsecurity.com
Wed Dec 4 10:08:27 EST 2019


Risk Based Security’s VulnDB team aggregated 16,738 newly-disclosed
vulnerabilities during the first three quarters of 2019 which
surpassed CVE/NVD by 5,970 during the same period.

Relying on CVE/NVD data

“As the VulnDB team continues to monitor vulnerability disclosure
sources, we are continuously improving our processes as we work
closely with customers to better understand their needs” commented
Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

“The trends presented in the previous quarterly report continue as
usual. However, we are starting to see a disturbing development
regarding vulnerabilities that could pose a significant problem for
organizations that rely on CVE/NVD data.”

CVE gap widens

That development is highlighted in the Q3 2019 Vulnerability QuickView
Report which covers vulnerabilities disclosed between January 1st and
September 30th, 2019. A key finding is that of the aggregated
vulnerabilities compiled by the VulnDB team, 15% of 2019
vulnerabilities with a CVE ID were in RESERVED status, providing no
information to consumers.

In addition, there are an alarming number of vulnerabilities that have
been disclosed without a CVE ID, and are missing from the CVE
database. Analysis shows that organizations that rely on CVE data will
be unable to see almost 7,000 vulnerabilities this year.

CVE issues

“Relying on researchers and vendors to take the initiative to notify
CVE is not a model that works in favor of CVE consumers. Especially
when you realize that many of the missing vulnerabilities are of High
and Critical severity,” Martin concludes.

“Even high-profile vulnerabilities like the recently-reported Google
Chrome zero-day exploit are still in RESERVED status, when a solution
was made available weeks ago. We updated VulnDB as soon as the
information was disclosed. However, despite the urgency and existence
of a public exploit, CVE instead pushed out assignments from issues
disclosed in 2012 among other things. This is simply unacceptable for
any organization that requires proper vulnerability intelligence, yet
still relies on CVE/NVD.”

More information about the BreachExchange mailing list