Throughout this report, we use the terms “vulnerability” and “CVE” interchangeably. Common Vulnerabilities and Exposures (CVE) is “a list of entries – each containing an identification number, a description and at least one public reference – for publicly known cybersecurity vulnerabilities.” A CVE identifier describes a unique vulnerability, whereby “unique” can refer to unique on a given operating system for a specific version rather than in general.
In reality, multiple CVEs can refer to the same “vulnerability” (e.g., a vulnerability affecting a browser available on multiple operating systems such as Microsoft Windows, Red Hat Enterprise Linux and SUSE Linux).
To ensure that we have comparable data for new and old vulnerabilities, whenever we refer to “CVSS” or “severity,” we are generally referring to CVSSv2, unless we state otherwise. We generally use CVSSv2 when comparing historical vulnerability data and CVSSv3 only when considering more recent ones, where CVSSv3 data is available.
The growth in new vulnerabilities continues unabated:
- 15,038 new vulnerabilities were published in 2017 to CVE3 versus 9,837 in 2016, an increase of 53%.
- The first half of 2018 shows an increase of 27% versus the first half of 2017. We are on track for 18,000–19,000 new vulnerabilities this year.
Prioritizing based on High severity or exploitability alone is becoming increasingly ineffective due to the sheer volume:
- 54% of new CVEs in 2017 were rated as CVSSv3 7.0 (High) or higher.
- Public exploits are available for 7% of vulnerabilities.
- For vulnerabilities where both CVSS version 2 and 3 scores are available and a comparison is possible (mainly post-2016), CVSSv3 scores the majority of vulnerabilities as High or Critical (CVSSv2 31% versus CVSSv3 60%).
In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerabile demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory. Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering
Vulnerability Disclosure Trends
In this section of the resource, we look at current vulnerability disclosure trends. To denote specific vulnerabilities, we use Common Vulnerability and Exposures (CVE) IDs. CVE itself has some known issues, especially around comprehensiveness and timeliness,12 but it is considered an official standard by many and we use it here as a baseline.