The IT Nerd

I wanted to highlight a blog post from Flashpoint’s Brian Martin announcing that the company has found/identified over 100,000 hidden vulnerabilities beyond what CVE reports.

What does missing vulnerability data mean for organizations?

1. Facing the unseen danger: Vulnerability management programs that heavily rely on CVE data are likely operating on less than 70 percent of known vulnerability risk.
2. The hidden threats in plain sight: VulnDB’s non-CVE ID collection includes zero-days and discovered-in-the-wild vulnerabilities. There are known instances of threat actors using them in recent cyberattacks.
3. A wake-up call for major vendors: Non-CVE vulnerabilities also affect major vendors such as Google, Microsoft, Adobe, Apple, and more. They also affect well-known third-party libraries—a market historically underserved by MITRE, which administers the CVE Program.
4. Specialized industries, specialized risks: For organizations in highly specialized industries like manufacturing, medical, and blockchain technology, VulnDB’s non-CVE collection is particularly beneficial.
5. Using VulnDB, triaging and prioritizing non-CVE vulnerabilities is made easier. Every vulnerability entry (whether non-CVE or CVE) is standardized, containing up to 60 distinct classifications based on the disclosure. It also captures public citation, exploit details, CVSSv2, and CVSSv3 scores.

You can read the blog post here:  https://flashpoint.io/blog/vulndb-uncovers-hidden-vulnerabilities-cve/

This entry was posted on December 5, 2023 at 11:03 am and is filed under Commentary with tags Flashpoint. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.