Over 10,000 vulnerabilities disclosed this year so far
2018 looks like it's on track to be another record year for vulnerabilities, with over 10,000 disclosed in the half year to June.
The newly released 2018 mid-year VulnDB QuickView report from Risk Based Security shows that 16.6 percent of the reported vulnerabilities received CVSSv2 (Common Vulnerability Scoring System) scores of between 9.0 and 10.0, which is a drop from previous years. However, the severity of the vulnerabilities disclosed still remains significant.
"An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD (Common Vulnerabilities and Exposures/National Vulnerability Database), 44.2 percent have CVSSv2 scores between 9.0 and 10 (High to Critical severity)," says Carsten Eiram, chief research officer for Risk Based Security. "While other criteria than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher severity vulnerabilities that pose a risk to their assets."
Of the vulnerabilities reported in 2018, 25.6 percent currently have no known solution. Because of this, patching, while still important, is only a part of modern vulnerability management. In today's environment, effective vulnerability management needs to use detailed intelligence to understand and prioritize mitigation actions to address the ever-changing threat landscape.
The report also shows that while relationships between researchers and vendors can be tricky to navigate, progress is being made in cooperation. Vulnerabilities disclosed in a coordinated fashion with vendors remains high at around 48.5 percent, an improvement from 2017.
"The task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches," says Brian Martin, VP of vulnerability intelligence for Risk Based Security. "Your vulnerability intelligence solution is a cornerstone of your defense strategy. We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization's continued under representation of identifiable vulnerabilities."
You can read more in the full report available from the Risk Based Security site.