CVE gap widens: 16,738 vulnerabilities disclosed during the first nine months of 2019
Risk Based Security’s VulnDB team aggregated 16,738 newly-disclosed vulnerabilities during the first three quarters of 2019 which surpassed CVE/NVD by 5,970 during the same period.
Relying on CVE/NVD data
“As the VulnDB team continues to monitor vulnerability disclosure sources, we are continuously improving our processes as we work closely with customers to better understand their needs” commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.
“The trends presented in the previous quarterly report continue as usual. However, we are starting to see a disturbing development regarding vulnerabilities that could pose a significant problem for organizations that rely on CVE/NVD data.”
CVE gap widens
That development is highlighted in the Q3 2019 Vulnerability QuickView Report which covers vulnerabilities disclosed between January 1st and September 30th, 2019. A key finding is that of the aggregated vulnerabilities compiled by the VulnDB team, 15% of 2019 vulnerabilities with a CVE ID were in RESERVED status, providing no information to consumers.
In addition, there are an alarming number of vulnerabilities that have been disclosed without a CVE ID, and are missing from the CVE database. Analysis shows that organizations that rely on CVE data will be unable to see almost 7,000 vulnerabilities this year.
CVE issues
“Relying on researchers and vendors to take the initiative to notify CVE is not a model that works in favor of CVE consumers. Especially when you realize that many of the missing vulnerabilities are of High and Critical severity,” Martin concludes.
“Even high-profile vulnerabilities like the recently-reported Google Chrome zero-day exploit are still in RESERVED status, when a solution was made available weeks ago. We updated VulnDB as soon as the information was disclosed. However, despite the urgency and existence of a public exploit, CVE instead pushed out assignments from issues disclosed in 2012 among other things. This is simply unacceptable for any organization that requires proper vulnerability intelligence, yet still relies on CVE/NVD.”