Flashpoint reports that its vulnerability database recorded 11,860 cybersecurity vulnerability disclosures for the first half of 2022, 27.3 % of which were missed or not detailed by MITRE's CVE system. Cyberthreat intelligence company Flashpoint said in a report issued this week that it detected a total of 11,860 vulnerabilities in the first half of 2022, with almost a third of them missed or not detailed by the public MITRE CVE (Common Vulnerabilities and Exposures) database.The report, “State of Vulnerability Intelligence,” includes disclosures—security vulnerabilities in hardware and software products reported by vendors and cybersecurity experts—collected by Flashpoint’s in-house vulnerability intelligence database, VulnDB.Flashpoint said that there were huge discrepancies in the severity and classification of vulnerabilities reported by VulnDB, and those recorded in MITRE’s CVE database and the NVD database maintained by NIST (the US National Institute of Standards and Technology). NIST and MITRE coordinate their finding and report similar vulnerabilities. Flashpoint cautioned organizations to depend on more comprehensive and specific sources for a clear understanding of the vulnerability landscape. Flashpoint: MITRE CVE misses vulnerabilitiesFlashpoint claimed that 20.7% of the vulnerabilities reported by VulnDB did not have CVE IDs, indicating a lapse by the public MITRE database. Additionally, 6.6% of them were found to be recorded under the Reserved section of CVE, which include disclosures that MITRE assigned IDs to, without respective details. “Comparing Flashpoint’s VulnDB coverage to MITRE and NIST, CVE / NVD failed to report and detail 27.3 % of all known disclosed vulnerabilities in the first half of 2022,” the report said.Additionally, the report highlighted that CVSS (Common Vulnerability Scoring System) scoring guidelines dictate scoring “for the worst” if details involving any of the considered metrics are unclear. CVSS metrics include Access Vector, Access Complexity, and a vulnerability’s impact on authentication, confidentiality, integrity, and availability. Flashpoint said that while this methodology is done to ensure scoring is not too low, it ends up assigning an undue 10.0 to many vulnerabilities—and that these account for an average of 51.5 % of all vulnerabilities rated as 10 during each of the last 10 years.Flashpoint’s analysis put 2,081 of the total vulnerabilities it found into a “sweet spot”— they have a public exploit and are remotely exploitable, but are easily patchable. These, it added, can be prioritized while remediating, and the efficiency achieved as a result can reduce the workload on security teams by 82%.The report also revealed that, during the first half of the year, Flashpoint identified approximately 40% more “discovered in the wild” vulnerabilities than Google’s popular Project Zero. These vulnerabilities are important because they include issues in both commonly used software as well as developing technologies such as blockchain, Flashpoint said. SUSE tops list for vulnerability disclosuresThe first half of the year saw a significant amount of vulnerability disclosures reported for products from SUSE, SPI, Microsoft, and Google, with 735, 712, 677, and 573 vulnerabilities respectively, according to VulnDB. SUSE had six products in the list of top 10 products that had the most disclosures for the period.The highest number of disclosures were revealed on “Patch Tuesdays,” Flashpoint said. Patch Tuesdays refer to the second Tuesday of the month, when most of the critical security updates by companies including Microsoft, Adobe, and Oracle are released. They account for six of the 10 most active days, in terms of vulnerability disclosures. Other highly active event days included Oracle’s quarterly CPU update, and software updates from companies including Bentley, Cisco, and Juniper. However, other days, or “standard” days, are seeing an increasing number of disclosures, Flashpoint said.VulnDB recorded fewer vulnerability disclosures compared to the 12,160 for the first half of last year. The report noted, however, that the modest start for 2022 reported by VulnDB is expected to pick up in the second half of the year. This is due to a possibly large number of backfillings, which refer to late entries for vulnerabilities that have been reported but not yet included in the VulnDB database because they have not been thoroughly researched yet. Response time more important than total vulnerabilitiesAccording to Flashpoint, it is important that business leaders do not interpret vulnerability totals as a positive or negative indicator of a vendor’s security posture. To explain, Flashpoint revealed an in-house collection of metadata it calls “Vulnerability Timeline and Exposure Metrics (VTEM)” that can demonstrate details such as the average time taken by a vendor to respond to a security vulnerability with a patch, and the estimated time before an exploit is available.By comparing the two indicators, the report added, security teams can better evaluate and make decisions. For instance, it noted that Microsoft has a better response time (patches within a month) than many other vendors, despite having a huge number of disclosures. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe