Real Bug Volumes in 2020 Exceed Official CVEs by 29%: Report

Written by

Total vulnerability disclosures for 2020 are on track to exceed the previous year’s figures, with a large percentage not recorded in the official National Vulnerability Database (NVD), according to Risk Based Security.

The security vendor’s 2020 Year End Vulnerability QuickView Report recorded 23,269 bugs last year, although there may still be some left to come in.

“Organizations should be aware that … 1917 have a public exploit, are remotely exploitable, and do not have a mitigating solution. If a vital asset is affected by any of these vulnerabilities, organizations may want to assess their risk accordingly,” the report warned.

“However, for the 2688 remotely exploitable vulnerabilities that have a public exploit but do have a mitigating solution, organizations should place a first level priority on fixing those issues.”

The figures for 2020 come despite a sharp fall at the start of the year due to COVID-19, when year-on-year disclosures in Q1 dropped by over 19%.

Although things started to normalize soon after when organizations returned to business-as-usual, this arguably put even more pressure on sysadmins. Bug disclosures reached almost 70 per day, peaking at 384 in a single day in 2020, the report claimed.

Risk Based Security also warned that an increasing number of vulnerabilities aren’t being recorded in the NIST NVD, the de facto resource for many in the industry.

In fact, the vendor’s VulnDB team recorded 6767 flaws which had no corresponding CVE, which amounts to nearly 29% of the total for the year. A further 686 (4%) were marked as “Reserved,” meaning that a CVE ID number has been assigned, but the details required to act on the vulnerability are not available.

All told, Risk Based Security claimed to have recorded around 80,000 vulnerabilities over the years which are not in the NVD.

What’s hot on Infosecurity Magazine?