Russia Publishes Only 10% of CVEs

Russian vulnerabilities published by year
Russian vulnerabilities published by year

A report by Recorded Future has found that Russia's vulnerability database, while highly focused, is incomplete and slow, and only publishes 10% of known vulnerabilities.

Run by the military organization, Federal Service for Technical and Export Control of Russia (FSTEC), the vulnerability database, also known as BDU, has published only 11,036 vulnerabilities of the 107,901 Common Vulnerabilities and Exposures (CVEs) reported by NVD (approximately 10%). FSTEC populates the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This gives researchers information on which technologies, hardware, and software are used on Russian government networks.

The report highlights that FSTEC didn't start publishing vulnerability data until 2014, roughly 15 years after the US NVD was established, but still covered 25% of the CVEs from years before the database was started. Furthermore, among the vulnerabilities that FSTEC published the fastest, 75% were vulnerabilities for browsers or industrial control-related software.

Percentage of vendor CVEs covered by FSTEC
Percentage of vendor CVEs covered by FSTEC

Interestingly, when it comes to monitoring vendors and technologies, Recorded Future found that Russia focused more on Adobe more than any other vendor, covering nearly half of all its vulnerabilities. However, of the vulnerabilities that were not published, 386 had a CVSS score of 10, and 871 had a score greater than eight.

Over the course of the past year, Recorded Future also examined the publication speeds, missions and utility of the NVDs of two countries: China and the US. It found that Russia was on average 83 days slower than China to publish vulnerabilities, and 50 days slower than the US.

"As the research demonstrates, FSTEC broadly publishes only about 10% of known vulnerabilities," Priscilla Moriuchi and Dr Bill Ladd wrote. "The larger question is, 'Why?' Why waste resources on a vulnerability disclosure database that does not address 90% of vulnerabilities for its users?

"There are three likely hypotheses," they went onto say. "FSTEC is vastly under-resourced and can only focus on key technologies for Russian users; FSTEC is a military organization and is publishing 'just enough' content to be credible as a national vulnerability database, or the FSTEC has a dual offensive and information security mission and publishes based on the competing needs. This would be similar to how China’s NVD (CNNVD) functions." 

What’s Hot on Infosecurity Magazine?