[BreachExchange] Despite lower number of vulnerability disclosures, security teams have their work cut out for them

Destry Winant destry at riskbasedsecurity.com
Mon Jun 8 10:29:30 EDT 2020


The number of vulnerabilities disclosed in Q1 2020 has decreased by
19.8% compared to Q1 2019, making this likely the only true dip
observed within the last 10 years, Risk Based Security reveals.

Vulnerabilities disclosed in Q1 2020: What happened?

Many factors have been identified as potential contributors to this
decline, including the COVID-19 pandemic, though its precise impact
may not be known for another year.

“Although the pandemic has already brought unprecedented changes to
all walks of life, it is difficult to predict precisely how it will
impact vulnerability disclosures this year,” commented Brian Martin,
Vice President of Vulnerability Intelligence at Risk Based Security.

“It is possible, as we’ve seen with data breaches, that some
researchers and companies may be slower to disclose vulnerabilities.
Between drastic changes in work environments and a global pandemic,
vulnerability disclosure totals may be directly impacted.”

Many vulnerabilities lacking detail in CVE

Despite the lower total number of vulnerability disclosures in Q1,
security teams have their work cut out for them. 561 vulnerabilities
have been identified that have a public exploit, yet do not have any
detail in CVE.

Worse, 60.2% of those vulnerabilities are remotely exploitable. This
is problematic for many organizations that rely on security tools that
are based on CVE data and have little in the way of detection and

Top ten products by vulnerability disclosures in Q1 2020, as compared to 2019

“Those vulnerabilities include issues such as remote authentication
bypass, stored XSS, SQL injection, information disclosure, denial of
service, and more,” Mr. Martin concluded.

“Some of these vulnerabilities are present in software from Symantec,
Apple, Atlassian, ManageEngine, Nextcloud, Jetbrains, and IBM to name
a few. That should give pause to anyone who has to come up with a
mitigation strategy where patching ‘in the right order’ becomes a key

More information about the BreachExchange mailing list