News & Events

Please use our LinkedIn page to comment on the articles below, or use our CVE Request Web Form by selecting “Other” from the dropdown.
Right-click and copy a URL to share an article.

New CVE Board Member from Trend Micro/Zero Day Initiative
July 2, 2019 | Share this article

Shannon Sabens of Trend Micro Incorporated/Zero Day Initiative (ZDI) has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

Minutes from CVE Board Teleconference Meeting on June 26 Now Available
July 2, 2019 | Share this article

The CVE Board held a teleconference meeting on June 26, 2019. Read the meeting minutes.

floragunn GmbH Added as CVE Numbering Authority (CNA)
June 26, 2019 | Share this article

floragunn GmbH is now a CVE Numbering Authority (CNA) for all issues related to Search Guard only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 98 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

NOTICE: CVE Request Web Form – System Maintenance from 8:00pm EDT June 28 through 8:00pm EDT June 30
June 20, 2019 | Share this article

Due to scheduled maintenance, the CVE Request Web Form for contacting the Program Root CNA will be unavailable from 8:00 p.m. Eastern time on Friday, June 28, 2019 until 8:00 p.m. Eastern time on Sunday, June 30, 2019.

The 97 other CVE Numbering Authority (CNA) organizations may still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on June 12 Now Available
June 19, 2019 | Share this article

The CVE Board held a teleconference meeting on June 12, 2019. Read the meeting minutes.

New CVE Board Member from Cisco
June 18, 2019 | Share this article

Patrick Emsweller of Cisco Systems, Inc. has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

CVE at FIRST 2019
June 12, 2019 | Share this article

Members of the CVE Team will be at FIRST Conference 2019 at the Edinburgh International Conference Centre in Edinburgh, Scotland on June 16-21, 2019. Please look for us and say hello!

In addition, CVE will be a discussion topic in two talks by Chandan Nandakumaraiah of Juniper Networks, Inc.:

Chandan is a member of the CVE Automation Working Group, and Juniper is a CVE Numbering Authority (CNA).

UPDATED NOTICE: Issue with CVE Request Web Form Automatic Responses Is Resolved
June 11, 2019 (updated June 12, 2019) | Share this article

We have recently detected that automatic responses from the CVE Request Web Form are not being sent when a request is submitted via the form. As a result, although your CVE requests are being received, automatic confirmation emails are not being sent.

We are actively addressing this issue, and will update this notice once we have resolved the problem. We apologize for any inconvenience.

UPDATE: This issue is resolved as of June 12, 2019.

Minutes from CVE Board Teleconference Meeting on May 29 Now Available
June 5, 2019 | Share this article

The CVE Board held a teleconference meeting on May 29, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on May 15 Now Available
May 21, 2019 | Share this article

The CVE Board held a teleconference meeting on May 15, 2019. Read the meeting minutes.

NOTICE: CVE Main Website – Possible Intermittent Outages from 8:00am-1:00pm EDT on May 18
May 17, 2019 | Share this article

Due to scheduled maintenance, the CVE List and all other pages on this main CVE Website may be temporarily unavailable at times from 8:00 a.m. until 1:00 p.m. Eastern time on Saturday, May 18, 2019.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Bosch Added as CVE Numbering Authority (CNA)
May 9, 2019 | Share this article

Robert Bosch GmbH is now a CVE Numbering Authority (CNA) for Bosch products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 97 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on May 1 Now Available
May 7, 2019 | Share this article

The CVE Board held a teleconference meeting on May 1, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on April 17 Now Available
April 23, 2019 | Share this article

The CVE Board held a teleconference meeting on April 17, 2019. Read the meeting minutes.

Jenkins Project, Kubernetes, PHP Group, Pivotal Software, and Snyk Added as CVE Numbering Authorities (CNAs)
April 18, 2019 | Share this article

Five additional organizations are now CVE Numbering Authorities (CNAs): Jenkins Project for Jenkins and Jenkins plugins distributed by the Jenkins project (listed on plugins.jenkins.io) only; Kubernetes for Kubernetes issues only; PHP Group for vulnerabilities in PHP code (code in https://github.com/php/php-src) only; Pivotal Software, Inc. for Pivotal, Spring, and Cloud Foundry issues only; and Snyk for vulnerabilities in third-party products discovered by Snyk only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 96 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

CVE Board Adds a “CNA Coordination Working Group Liaison” Board Member
April 17, 2019 | Share this article

Tod Beardsley of Rapid7 has been added as the “CNA Coordination Working Group Liaison” CVE Board member, and will represent the CVE Numbering Authorities (CNAs) in CVE Board meetings.

Minutes from CVE Board Teleconference Meetings on March 20 and April 3 Now Available
April 17, 2019 | Share this article

The CVE Board held teleconference meetings on March 20, 2019 and April 3, 2019. Read the March 20 and April 3 meeting minutes.

How CVE Content Is Provided Has Changed
March 20, 2019 | Share this article

The CVE Program has upgraded the infrastructure used to process and post CVE Entries to the CVE List, resulting in some changes to how CVE content is provided on the individual CVE Entry pages and in the various CVE List download files on the CVE website. These changes may affect products, services, and processes that incorporate vulnerability content from the CVE download files.

See “Changes to How CVE Content Is Provided Begins on March 17” for a list of the specific changes resulting from the infrastructure upgrades.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

CVEProject GitHub Submissions Service for CNAs Is Now Restored
March 20, 2019 | Share this article

The CVE Program's infrastructure upgrades are now complete (see “NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18” for details). As a result, the CVEProject GitHub.com website service for CVE Numbering Authorities (CNAs) is now restored. There were no changes to the GitHub submission service itself.

Please contact the CNA Coordinator directly with any comments or concerns, or use our CVE Request Web Form to contact us by selecting “Other” from the dropdown.

The Document Foundation Added as CVE Numbering Authority (CNA)
March 18, 2019 | Share this article

The Document Foundation is now a CVE Numbering Authority (CNA) for projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online. The Document Foundation discourages reporting denial of service bugs as security issues.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 92 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Changes to How CVE Content Is Provided Begins on March 17
March 7, 2019 | Share this article

The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin at 12:00 a.m. EST on March 17, 2019, and last for one or two days. As a result of the upgrades, some of the ways in which CVE content is provided on the individual CVE Entry pages and in the various CVE List download files on the CVE website will change. These changes may affect products, services, and processes that incorporate vulnerability content from the CVE download files. We will make a follow-up announcement once the rollout is complete.

Specific changes include:

Also, please note that during the rollout process searching and downloading of the CVE List may be temporarily unavailable or incomplete at times as the changes are rolled out. Other pages on the website such as supporting information, documents, news, blog, etc., will remain available.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18
March 7, 2019 | Share this article

The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin on March 17, 2019, and last one or two days. Because of the upgrade, we are requesting that CVE Numbering Authorities (CNAs) with access to the CVEProject GitHub.com website service NOT USE the service—and especially NOT MAKE ANY PULL REQUESTS—beginning at 12:00 a.m. EST on March 17, 2019. This outage will last one or two days. We will make a follow-up announcement here, and on the CNA email list, once service resumes.

We apologize for any inconvenience. Please contact the CNA Coordinator directly with any comments or concerns, or use our CVE Request Web Form to contact us by selecting “Other” from the dropdown.

CVE Program Root CNA to Assume DWF’s Open Source Product Coverage Responsibilities Beginning March 7
March 7, 2019 | Share this article

The Distributed Weakness Filing (DWF) project, which assigns vulnerability identifiers for Open Source products, was incorporated into CVE in 2016 as a pilot, becoming a Root CVE Numbering Authority (CNA) consistent with the CVE Program’s federated governance and operational strategy. As a result of the important work of Kurt Seifried of the Cloud Security Alliance (CSA) and other community volunteers, the CVE Program significantly increased Open Source product coverage and added several new CNAs. The program also gained important experience in onboarding and operating Root CNAs as part of the effort to federate the CVE Program.

The DWF pilot will end on March 7, 2019. The sub-CNAs that previously reported to DWF will coordinate with MITRE, the CVE Program Root CNA. Many thanks to Kurt Seifried for his dedication to security and for his enthusiasm and energy in establishing DWF and expanding CVE’s reach.

If you made a CVE ID request through a DWF web form (such as https://iwantacve.org) in the past but the CVE Entry was never populated, then DWF automatically made your request data public, and MITRE has a copy of that public data. Because of this, please do not send duplicate requests to MITRE. You should make a new CVE ID request to MITRE only if there was an embargo on the vulnerability information and your contact with DWF was only through email (i.e., you never used a DWF web form).

Follow these steps to request CVE IDs:

  1. Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the Participating CNAs table on the Request a CVE ID page on the CVE website.
  2. Contact the appropriate CNA using the contact method provided.
  3. If the product affected by the vulnerability is not covered by an existing CNA, please contact the CVE Program Root CNA (MITRE) by completing our CVE Request Web Form.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

CVE at RSA 2019
March 3, 2019 | Share this article

Members of the CVE Team will be at RSA Conference 2019 at the Moscone Center in San Francisco, California, USA on March 4-8, 2019. Please stop by the MITRE booth #3124 in the South Expo and say hello. We look forward to seeing you!

NOTICE: CVE Request Web Form – Possible Outage from 8:00pm-10:00pm EST on February 21
February 20, 2019 | Share this article

Due to scheduled maintenance, the CVE Request Web Form for contacting the Program Root CNA may be temporarily unavailable from 8:00 p.m. until 10:00 p.m. Eastern time on Thursday, February 21, 2019.

The 92 other CVE Numbering Authority (CNA) organizations can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on February 6 Now Available
February 14, 2019 | Share this article

The CVE Board held a teleconference meeting on February 6, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on January 23 Now Available
February 11, 2019 | Share this article

The CVE Board held a teleconference meeting on January 23, 2019. Read the meeting minutes.

Updated NOTICE: Intermittent Issues with CVE List Downloads is Resolved
February 8, 2019 (updated February 28, 2019) | Share this article

Recently, we have detected that downloads of the CVE List available on the Download CVE page occasionally do not finish because of an infrastructure problem, e.g., a download attempt may make no further progress after the first 80 MB.

To work around this, please ensure that the URL has “https:” rather than “http:” at the beginning. We will update this notice when we have resolved the problem. We apologize for any inconvenience. Please contact us with any comments or concerns.

UPDATE: This issue is resolved as of February 28, 2019.

Johnson Controls Added as CVE Numbering Authority (CNA)
February 7, 2019 | Share this article

Johnson Controls is now a CVE Numbering Authority (CNA) for Johnson Controls products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 92 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; SonicWALL; SUSE; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

CVE Is Main Source of Vulnerability Data Used in Article about Application Security Vulnerabilities
January 23, 2019 | Share this article

CVE is the main source of vulnerability data used in a January 15, 2019 article entitled “Top 10 Application Security Vulnerabilities of 2018” on the WhiteHat Security blog. The article, which uses CVE Entries to identify the vulnerabilities discussed, describes the “most common web exploits used by malicious attackers during the past 12 months—as well as valuable prevention tips for enterprises to implement in the new year.”

The CVE Entries cited in the article are: CVE-2018-9206, CVE-2018-6389, CVE-2018-7600, CVE-2018-7602, CVE-2018-1273, CVE-2018-1999024, CVE-2018-4878, and CVE-2018-1260. Visit these CVE Entry pages to learn more about these issues.

Minutes from CVE Board Teleconference Meeting on January 9 Now Available
January 23, 2019 | Share this article

The CVE Board held a teleconference meeting on January 9, 2019. Read the meeting minutes.

CVE Is Main Topic of Article on WhiteSource Blog
January 23, 2019 | Share this article

CVE is the main topic of a January 7, 2019 article entitled “What Is a CVE Vulnerability And How To Understand Its Details” on the WhiteSource blog.

In the article, the author explains what CVE is and how the program works; defines CVE Entries and discusses the role of CVE Numbering Authorities (CNAs) in assigning them; discusses what the CVE Program currently considers to be a vulnerability [for a detailed explanation, refer to Appendix C of the CNA Rules v2.0, a community consensus document authored by CNAs and the CVE Board]; discusses CVSS and severity scoring of CVE Entries by NVD; and explains the difference between the U.S. National Vulnerability Database (NVD) and CVE List.

The author concludes the article by stating that while “Security flaws are a wide and varied mix, reported in various databases, advisory boards and bug trackers and consisting of a diverse set of features and qualities … [CVE is] the foremost list for the documentation of security vulnerabilities in publicly released software.”

CVE Mentioned in Article about NVD
January 23, 2019 | Share this article

CVE is mentioned throughout a December 18, 2018 article entitled “The National Vulnerability Database Explained” on the WhiteSource blog. The main topic of the article is the National Institute of Standards and Technology’s U.S. National Vulnerability Database (NVD).

CVE is first mentioned when the author discusses the types of information in NVD, when the author notes that the base information of “a description of the CVE [Entry] and the source of the information” is provided by the CVE List, which NVD then builds upon by providing CVSS scores and other enhanced content. CVE is mentioned again in a section entitled “How The National Vulnerability Database Differs From The CVE,” in which the author explains how CVE and NVD are separate programs, and that the CVE List was established five years before NVD; that the CVE List provides the basic information for CVE Entries—identification number, description, and at least one public reference—that NVD then builds upon; and that the two efforts “work hand-in-hand, making the information more accessible for the readers. To put it simply, the CVE is the organization that receives submissions and IDs them, while the NVD adds the analysis and makes it easier to search and manage them.”

CVE is mentioned a third time in a section entitled “The Vulnerability Publishing Roadmap,” when the author briefly describes the process of how a vulnerability becomes a CVE Entry on the CVE List and is then posted to NVD. The author states: “NVD relies solely on the CVE for its feed of submitted vulnerabilities and does not perform any of its own searches for vulnerabilities in the wild … This means that the NVD has turned into a pretty exhaustive and dependable database that will continue to grow over time.”

Minutes from CVE Board Teleconference Meeting on December 12 Now Available
January 9, 2019 | Share this article

The CVE Board held a teleconference meeting on December 12, 2018. Read the meeting minutes.

CVE Is Main Source of Vulnerability Data Used in Tenable’s 2018 Vulnerability Intelligence Report
January 3, 2019 | Share this article

CVE is the main source of vulnerability data used in Tenable, Inc.'s 2018 Vulnerability Intelligence Report, which discusses “general overall trends in vulnerabilities and operationalized intelligence based on what enterprises actually have to deal with in their own environments.”

The authors of the report found that the “discovery and disclosure of vulnerabilities continue to grow in volume and pace. In 2017 alone, an average of 41 new vulnerabilities were published every single day, for a total of 15,038 for the year. Additionally, the growth in newly disclosed vulnerabilities from the first half of 2018 showed a 27 percent increase over the first half of 2017.”

In the report, the authors “provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments [and] analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory.” From their study, the authors conclude that “managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same.”

Read the complete report at: https://www.tenable.com/cyber-exposure/vulnerability-intelligence/. The report is free to download, but sign-up may be required.

Page Last Updated or Reviewed: July 10, 2019