The number of recorded vulnerability disclosures continues to rise, with 10,644 published throughout the first half of 2018 by Risk Based Security’s VulnDB team. That total is reportedly 3,279 more vulnerabilities than those listed on CVE/NVD, according to the 2018 Mid-Year VulnDB QuickView Report.
The numbers reflect only a 1% increase over the same period last year. Of those discovered in the first six months of 2018, 73% of vulnerabilities have a documented solution, while only 32.1% have public exploits; however, 50% of the vulnerabilities can be exploited remotely.
Of the vulnerabilities disclosed, 16.6% scored 9.0 or higher on the CVBSSv2 scale. Nearly half (48.2%) of the vulnerabilities were disclosed through coordinated disclosure, yet only 13.1% of those coordinated disclosures were through bug bounty programs.
“An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD, 44.2% have CVSSv2 scores between 9.0 and 10 (high to critical severity). While criteria other than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher-severity vulnerabilities that pose a risk to their assets,” said Carsten Eiram, chief research officer for Risk Based Security.
“We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government–funded organization’s continued underrepresentation of identifiable vulnerabilities,” said Brian Martin, VP of vulnerability intelligence for Risk Based Security.
“While some contend that the CVE/NVD solution is ‘good enough,’ the number of data breaches based on hacking points to a different conclusion. In today's hostile computing environment, with nonstop attacks from around the world, organizations using subpar vulnerability intelligence are taking on significant risk needlessly.”