Summary
In this report, we provide an overview
of current vulnerability disclosure
trends and insights into real-world
vulnerability demographics in
enterprise environments. We analyze
vulnerability prevalence in the wild,
based on the number of affected
enterprises, to highlight vulnerabilities
that security practitioners are dealing
with in practice – not just in theory.
Our study confirms that managing
vulnerabilities is a challenge of scale,
velocity and volume. It is not just an
engineering challenge, but requires
a risk-centric view to prioritize
thousands of vulnerabilities that
superficially all seem the same.
3
Throughout this report, we use
the terms “vulnerability” and
“CVE” interchangeably. Common
Vulnerabilities and Exposures1
(CVE) is “a list of entries – each
containing an identification
number, a description and at
least one public reference – for
publicly known cybersecurity
vulnerabilities.”2 A CVE identifier
describes a unique vulnerability,
whereby “unique” can refer to
unique on a given operating
system for a specific version
rather than in general.
In reality, multiple CVEs can
refer to the same “vulnerability”
(e.g., a vulnerability affecting
a browser available on multiple
operating systems such as
Microsoft Windows, Red Hat
Enterprise Linux and SUSE
Linux).
To ensure that we have
comparable data for new and
old vulnerabilities, whenever
we refer to “CVSS” or “severity,”
we are generally referring
to CVSSv2, unless we state
otherwise. We generally use
CVSSv2 when comparing
historical vulnerability
data and CVSSv3 only when
considering more recent ones,
where CVSSv3 data is available.
VULNERABILITY INTELLIGENCE report
Key Takeaways
The growth in new vulnerabilities continues unabated:
• 15,038 new vulnerabilities were published in 2017 to CVE3 versus 9,837 in 2016, an increase
of
53%.
• The first half of 2018 shows an increase of
27% versus the first half of 2017. We are on track
for 18,000–19,000 new vulnerabilities this year.
Prioritizing based on High severity or exploitability alone is becoming increasingly ineffective
due to the sheer volume:
• 54% of new CVEs in 2017 were rated as CVSSv3 7.0 (High) or higher.
• Public exploits are available for 7% of vulnerabilities.
• For vulnerabilities where both CVSS version 2 and 3 scores are available and a comparison
is possible (mainly post-2016), CVSSv3 scores the majority of vulnerabilities as High or Critical
(CVSSv2 31% versus CVSSv3 60%).
Enterprise vulnerability management is a challenge of scale, volume and velocity:
• The live population (22,625) of distinct vulnerabilities that actually resides in enterprise
environments represents 23% of all possible CVEs (107,710).
• Almost two-thirds (61%) of the vulnerabilities that enterprises find in their environments
have a CVSSv2 severity of High (7.0–10.0).
• Vulnerabilities with a CVSSv2 score of 9.0–10.0 represent 12% of the entire vulnerability
population. On average, an enterprise finds 870 CVEs per day across 960 assets4. This means
that prioritization methodologies based on remediating only Critical CVEs still leave the average
enterprise with more than a hundred vulnerabilities per day to prioritize per patch, often on
multiple systems.
• Considerable amounts of old Oracle Java, Adobe Flash and Microsoft IE and Office vulnerabilities
were discovered in enterprise environments (some older than a decade). Old, discontinued and
end-of-life applications are out there – and legacy applications are still a major source
of residual risk.
4
VULNERABILITY INTELLIGENCE report
Please complete the form to gain access to this content
