The number of vulnerability disclosures is back on track to reach or bypass 2019 as we head into 2021, according to Risk Based Security.
The team aggregated 17,129 vulnerabilities disclosed during the first three quarters of 2020, marking a 4.6% gap when compared to last year. However, earlier in 2020 that gap was instead a sharp decline of 19.2%.
“At the end of Q1 this year, we saw what appeared to be a sharp decline in vulnerability disclosures as compared to 2019, dropping by 19.2%. Statistically that is huge,” commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.
“However, as 2020 continues, we are starting to see just how large an impact the pandemic has had on vulnerability disclosures.”
Patch Tuesdays burdening IT teams
The report goes further in detail on what that impact is and how the gap in vulnerability reporting has been rapidly closing. Several factors include researchers and organizations returning to their old routines, as well as the Vulnerability Fujiwhara observed earlier this year. However, the main contributor for the closing gap are “regular” Patch Tuesday events.
“Patch Tuesdays have grown to be serious undertakings and may represent an incredible burden on IT teams that can last weeks during remediation efforts,” Mr. Martin concluded.
“It goes without saying that as Patch Tuesday workloads increase, the time needed for remediation will follow suit. Even though the Fujiwhara storms have settled, we are starting to see that “regular” Patch Tuesdays are consistently reaching volumes comparable to January’s event.
“For organizations who are still relying solely on CVE/NVD, they may find that their timeline may be further extended as the number of vulnerabilities “missed” by MITRE remains consistent.”