[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Counting on CVEs

> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of security curmudgeon
> Sent: 8. marts 2012 09:57
> To: Kent_Landfield@McAfee.com
> Cc: cve-editorial-board-list@lists.mitre.org
> Subject: Re: Counting on CVEs
> : I have just had a very concerning discussion about the usefulness of
> : CVEs as a means to measure vulnerabilities today and the decay of its
> : value if the trend continues.  The discussion centered around the
> : accuracy of the numbers of CVEs identified compared to those reported in
> : the community as a whole.  If we looked at just the CVE numbers, it
> : appears that the numbers of vulnerabilities have been dropping since a
> : high in 2008.  This is a rather important error. As we all know, this is
> : not accurate. Vulnerabilities have not been dropping, they are growing,
> : not dropping by 30%.
> I can't find it right off, but this came up several years back when several
> people noticed the drop in vulnerability totals around 2008. After additional
> examination of CVE, OSVDB, Secunia, and I believe BID, all four databases
> showed roughly the same drop. That in turn lead to speculation about *why*
> it was happening. I don't recall seeing anyone showing a 5 year trending of
> vulnerability counts, as seen through multiple VDBs, but I would honestly
> request to see some rough numbers before pursuing this line of discussion
> further.

I just participated in a panel ("Is it 0-day or 0-care?") at RSAC where I had included some slides on various vulnerability trends based on the Secunia database. I'm not sure if the slides are already publicly available, but else they should be at some point in the near future (if not I'll be happy to provide the slides to anyone interested). Anyway, based on our database the total number of vulnerabilities for the past years were:

2005: 6706
2006: 9915
2007: 7595
2008: 8387
2009: 7773
2010: 9640
2011: 9114

These numbers do not include any fake/invalid vulnerabilities and should only include a very low percentage of dupes (cannot be completely filtered out as a result of how we generate the vulnerability numbers from our advisories). Note that the total is for stable products only as the Secunia database (apart from a few exceptional cases) doesn't cover vulnerabilities in unstable/development products.

The same slide also included the trend in the number of SAIDs (Secunia Advisory IDs) issued to cover these vulnerabilities as well as the number of CVEs assigned for these vulnerabilities. While the number of SAIDs isn't interesting to this discussion, the number of CVEs assigned is; there does seem to be a drop in the number of vulnerabilities covered after 2008 (percentage is CVE to vulnerability ratio) and if anything our efforts in ensuring that our SAIDs include CVEs have increased:

2005: 3348 (49,9%)
2006: 5531 (55,8%)
2007: 4443 (58,5%)
2008: 5192 (61,9%)
2009: 3938 (50,7%)
2010: 4122 (42,8%)
2011: 3542 (38,9%)


Med venlig hilsen / Kind regards

Carsten H. Eiram
Chief Security Specialist

Follow us on twitter

Mikado House
Rued Langgaards Vej 8
2300 Copenhagen S

Phone   +45 7020 5144
Fax       +45 7020 5145

Page Last Updated or Reviewed: November 06, 2012