A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
This means that 7,900 security bugs remained without a CVE-2017-XXXXX number, and were left off the databases of many security scanners because of it.
Furthermore, this also means that many security bugs remained buried on forums and personal blogs —places where attackers might have the time to scout, but where many IT security departments will never look.
This isn’t the first time that MITRE’s Common Vulnerability Enumeration (CVE) and the DHS’ National Vulnerability Database (NVD) have fallen short of identifying and categorizing all security flaws during a year, something that’s becoming of a habit for the two organizations this past decade.
The reasons are plenty, but one of them is the explosion of security bugs in IoT devices, which has made it harder for Mitre and NVD staffs to keep up with all the bugs.
Furthermore, almost 7,000 2917 vulnerabilities received a RESERVED CVE status, with no public details available, despite 1,342 of them having a public disclosure. « This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data, » RBS experts concluded.
To read the original article: