On pace to break 20k mark for disclosed vulnerabilities

Nov. 19, 2018

Risk Based Security announced the public release of its 2018 Q3 VulnDB QuickView report that shows there have been 16,172 vulnerabilities disclosed through October 29th. This is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component.

Key findings for Q3 2018:

  • There were 16,172 vulnerabilities published by Risk Based Security’s VulnDB team through the end of Q3 2018.
  • The period up to the end of Q3 2018 showed a 7% decrease over the same period in 2017, which set the all-time high record for number of vulnerabilities.
  • Risk Based Security’s VulnDB published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018.
  • CVSSv2 scores of 7.0+ accounted for 34.9% of all 2018’s published vulnerabilities through Q3.
  • Through Q3, 46% of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10.
  • Coordinated disclosure accounted for 48.3% of 2018 vulnerabilities through Q3. 8.7% of coordinated disclosures were through bug bounty programs.
  • Web-related vulnerabilities accounted for 46.0% of 2018 vulnerabilities so far this year.
  • Of the vulnerabilities published through the end of Q3 2018, 31.2% have public exploits. 48.4% of 2018 vulnerabilities can be exploited remotely.
  • 1% of vulnerabilities published through Q3 2018 have a documented solution.
  • 6% of the vulnerabilities published up to the end of Q3 were classified as SCADA vulnerabilities.
  • 4% of 2018 vulnerabilities through Q3 were classified as impacting security software.

Risk Based Security has more information