I am completely blown away. I knew CVE creation was out pacing last year. What I did not quite understand was by how much! I had been estimating about 90 a day on average. Damn was I wrong. The data below shows (thank you CVEDetails) that we are at almost 40,000 CVEs for the year. On average that is over 110 new CVE’s per day! Oh, Sweet Summer Child. I would suggest I have concerns about keeping at this rate, but what we really need to be concerned with is the growth rate. Literally just 3 years ago we only had half this number of CVEs. To be clear, I’m not concerned about finding the vulnerabilities and publishing them. I’m concerned about the industry’s ability to *respond* to so many findings.
How do we know it isn't just that vendors are disclosing more vulnerabilities than they used to, not that more vulnerabilities are being found?
Given the underlaying changes to the vulnerability discovery market, I expect this rate to no only be sustained, but continue to grow. Additionally, there will be many stealthy vulnerabilities that will not be visible until it is too late (i.e. more 0-days too!)
VP of Security at Anchore, Podcaster, Blogger
1dThe devil is in the details of course :) There are 3 CNAs that account for almost all the growth compared to 2023 I'm too lazy to create the graphs right now, but if you remove the Linux Kernel, and the Wordpress plugin bug bounty vendors Patchstack and Wordfence, you end up almost the same as 2023 (it was slightly less last time I looked, no doubt it's changed since then) Now, that's not to diminish the work those 3 CNAs are doing, because more CVE IDs is more better I think