A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
This means that 7,900 security bugs remained without a CVE-2017-XXXXX number, and were left off the databases of many security scanners because of it.
Furthermore, this also means that many security bugs remained buried on forums and personal blogs —places where attackers might have the time to scout, but where many IT security departments will never look.
This isn't the first time that MITRE’s Common Vulnerability Enumeration (CVE) and the DHS' National Vulnerability Database (NVD) have fallen short of identifying and categorizing all security flaws during a year, something that's becoming of a habit for the two organizations this past decade.
The reasons are plenty, but one of them is the explosion of security bugs in IoT devices, which has made it harder for Mitre and NVD staffs to keep up with all the bugs.
Furthermore, almost 7,000 2917 vulnerabilities received a RESERVED CVE status, with no public details available, despite 1,342 of them having a public disclosure. "This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data," RBS experts concluded.
CVE-2010-0109 opened up today, covering an issue disclosed on 2010-02-25. (2917 days to open)— Sciuridae Hero (@attritionorg) February 19, 2018
MITRE is perpetually behind, and that is one recent example of just how bad the problem is.— Sciuridae Hero (@attritionorg) February 19, 2018
These are just some of the many statistics included in the 2017 Year End VulnDB QuickView report from Risk Based Security. While our readers can learn plenty by reading the entire 20-page report, we summarized the main findings below, in case not all our visitors have the time to skim through the research:
But Risk Based Security's work wasn't limited to analyzing the 2017 vulnerability landscape alone. The company also published the 2017 Year End Data Breach QuickView report, in which it took a look at the overall state of data breach reporting.
Just like its report on 2017's vulnerabilities, 2017 also saw a record-breaking number of security incidents, with 5,207 data breaches that exposed a whopping 7.89 billion user records, both 20% and 24.2% increases over the previous high mark set in 2015 and 2016, respectively. This report's main findings are below: