There have been 10,644 vulnerabilities disclosed through June 30th, according to Risk Based Security’s 2018 Mid Year VulnDB QuickView report. This is the highest number of disclosed vulnerabilities at the mid-year point on record.
The 10,644 vulnerabilities cataloged during the first half of 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by well over 3,000.
The newly released 2018 mid-year report from Risk Based Security shows that 16.6% of the reported vulnerabilities received CVSSv2 scores between 9.0 and 10.0, which is a drop from previous years. However, the severity of the vulnerabilities disclosed still remains significant, demanding organizations remain vigilant by implementing a comprehensive software vulnerability assessment and management plan.
“An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD, 44.2% have CVSSv2 scores between 9.0 and 10 (High to Critical severity). While other criteria than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher severity vulnerabilities that pose a risk to their assets.” said Carsten Eiram, Chief Research Officer for Risk Based Security. He further commented that details about vulnerabilities are often available in VulnDB significantly earlier than the CVE or NVD databases.
“The task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. Your vulnerability intelligence solution is a cornerstone of your defense strategy. We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization’s continued underrepresentation of identifiable vulnerabilities.” said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.
“While some contend that the CVE/NVD solution is ‘good enough’, the number of data breaches based on hacking points to a different conclusion. In today’s hostile computing environment, with non-stop attacks from around the world, organizations using sub-par vulnerability intelligence are taking on significant risk needlessly” added Martin.
Of the large number of vulnerabilities reported in 2018, 25.6% currently have no known solution. Because of this, patching, while very important, is only a part of modern vulnerability management. In today’s environment, effective vulnerability management must use detailed intelligence to understand and prioritize mitigation actions to address the ever-changing threats.
The VulnDB QuickView report also shows that while relationships between researchers and vendors can be tricky to navigate, they are making strides in cooperation. Vulnerabilities disclosed in a coordinated fashion with vendors remains high at around 48.5%, an improvement from 2017.