A new report shows companies that rely solely on the Common Vulnerabilities and Exposures (CVE) system for their vulnerability information are leaving themselves exposed to a substantial number of security issues they don’t know about.
Risk Based Security’s researchers have so far this year identified 5,970 more vulnerabilities than reported in the CVE and National Vulnerability Database (NVD). Of them, 18.4% had a CVSS v2 score ranging from 9 to 10, meaning they were considered critical. When vulnerabilities with a severity rating of 7 to 9 were also counted, some 43.5% of the 5,970 flaws not reported in the CVE/NVD system were either high risk or critical. Flaws not listed in CVE/NVD included those involving products from major vendors including Oracle, Microsoft, and Google.