Of 10,644 vulnerabilities reported in the first half of 2018, 30 percent didn’t appear in the official CVE or NVD systems
“It is highly problematic if an organisation is not aware of higher severity vulnerabilities that pose a risk to their assets” said Carsten Eiram, chief research officer for Risk Based Security. Of those 10,644 reported vulnerabilities, Eiram confirms that a quarter (25.6 percent) currently have no solution. Meanwhile, researchers at NCC Group analysed nine years of its discovered vulnerabilities and found that only 2.4 percent resulted in a CVE numbering. Of the paltry 289 classed as closed, the critical-risk vulnerabilities took an average of 77 days to resolve. A figure that exceeds the industry-accepted 30 day notice period at any risk level. Matt Lewis, research director at NCC Group, says “improving our industry’s ability to detect vulnerabilities before they become an issue is less of an achievement without an established process in place for their remediation and disclosure.”
