Every year, security and tech companies publish details of thousands of vulnerabilities. The media duly reports on those vulnerabilities, highlighting the most dangerous issues and advising users on how to stay safe.

But what if I told you that of those thousands of vulnerabilities, few are actively exploited in the wild?

So how many security vulnerabilities are there, and do security companies decide how bad a vulnerability is?

How Many Security Vulnerabilities Are There?

Kenna Security's Prioritization to Prediction Report Series found that in 2019, security companies published over 18,000 CVEs (Common Vulnerabilities and Exposures).

While that figure sounds high, the report also found that, of those 18,000 vulnerabilities, only 473 "reached widespread exploitation," which is around 2 percent of the total. Although these vulnerabilities were indeed being exploited across the internet, that doesn't mean every hacker and attacker around the world was using them.

Furthermore, "exploit code was already available for >50% of vulnerabilities by the time they published to the CVE list." That the exploit code was already available sounds alarming at face value, and it is an issue. However, it also means that security researchers are already working on patching the issue.

The common practice is to patch vulnerabilities within a 30-day window of publication. That doesn't always happen, but it is what most tech companies work towards.

The chart below further illustrates the discrepancy between the number of reported CVEs and the number actually exploited.

kenna security exploits percentage graph

Around 75 percent of CVEs are detected by less than 1 in 11,000 organizations, and just 5.9 percent of CVEs are detected by 1 in 100 organizations. That's quite the spread. You should note that the above chart refers to the 473 exploits, rather than the 18,000 or so total vulnerabilities.

You can find the above data and figures in Prioritization to Prediction Volume 6: The Attacker-Defender Divide.

Who Assigns CVEs?

You might be wondering who assigns and creates a CVE to begin with. Not just anyone can assign a CVE. There are currently 153 organizations from 25 countries authorized to assign CVEs.

That doesn't mean only these companies and organizations are responsible for security research around the world. Far from it, in fact. What it means is that these 153 organizations (known as CVE Numbering Authorities, or CNAs for short) work to an agreed-upon standard for the release of vulnerabilities into the public domain.

It's a voluntary position. The participating organizations must demonstrate the "ability to control the disclosure of vulnerability information without pre-publishing," as well as to work with other researchers who request information on the vulnerabilities.

There are three Root CNAs, which sit at the top of the hierarchy:

  • MITRE Corporation
  • Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
  • JPCERT/CC

All other CNAs report to one of these three top-level authorities. The reporting CNAs are predominantly tech companies and hardware developers and vendors with name recognition, such as Microsoft, AMD, Intel, Cisco, Apple, Qualcomm, and so on. The full CNA list is available on the MITRE website.

Vulnerability Reporting

Vulnerability reporting is also defined by the type of software and the platform the vulnerability is found on. It also depends on who initially finds it.

For example, if a security researcher finds a vulnerability in some proprietary software, they're likely to report it to the vendor directly. Alternatively, if the vulnerability is found in an open-source program, the researcher might open a new issue on the project reporting or issues page.

However, if a nefarious person were to find the vulnerability first, they might not disclose it to the vendor in question. When this happens, security researchers and vendors might not become aware of the vulnerability until it is used as a zero-day exploit.

How Do Security Companies Rate CVEs?

Another consideration is how security and tech companies rate CVEs.

The security researcher doesn't just pull a number out of thin air and assign it to a newly discovered vulnerability. There is a scoring framework in place that guides vulnerability scoring: the Common Vulnerability Scoring System (CVSS).

The CVSS scale is as follows:

Severity

Base Score

None

0

Low

0.1-3.9

Medium

4.0-6.9

High

7.0-8.9

Critical

9.0-10.0

To figure out the CVSS value for a vulnerability, researchers analyze a series of variables covering Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics.

  • Base Score Metrics cover things like how exploitable the vulnerability is, the attack complexity, the privileges required, and the scope of the vulnerability.
  • Temporal Score Metrics cover aspects such as how mature the exploit code is, if remediation for the exploit exists, and the confidence in the reporting of the vulnerability.
  • Environmental Score Metrics deal with several areas:
    • Exploitability Metrics: Covering the attack vector, attack complexity, privileges, user interaction requirements, and scope.
    • Impact Metrics: Covering the impact on confidentiality, integrity, and availability.
    • Impact Subscore: Adds further definition to the Impact Metrics, covering confidentiality requirements, integrity requirements, and availability requirements.

Now, if that all sounds a little confusing, consider two things. First, this is the third iteration of the CVSS scale. It initially began with the Base Score before adding the subsequent metrics during later revisions. The current version is CVSS 3.1.

Second, to better understand how CVSS denominates scores, you can use the National Vulnerability Database CVSS Calculator to see how the vulnerability metrics interact.

national vulnerability database cvss calculator

There is no doubt that scoring a vulnerability "by eye" would be extremely difficult, so a calculator like this helps deliver a precise score.

Staying Safe Online

Even though the Kenna Security report illustrates that only a small proportion of reported vulnerabilities become a serious threat, a 6 percent chance of exploitation is still high. Imagine if your favorite chair had a 6 in 100 chance of breaking every time you sat down. You'd replace it, right?

You don't have the same options with the internet; it's irreplaceable. However, like your favorite chair, you can patch it up and secure it before it becomes an even bigger issue. There are five important things to do to say safe online and avoid malware and other exploits:

  1. Update. Keep your system up to date. Updates are the number one way tech companies keep your computer safe, patching out vulnerabilities and other flaws.
  2. Antivirus. You might read things online such as "you no longer need an antivirus" or "antivirus is useless." Sure, attackers constantly evolve to evade antivirus programs, but you'd be in a far worse situation without them. The integrated antivirus on your operating system is a great starting point, but you can bulk out your protection with a tool like Malwarebytes.
  3. Links. Don't click them unless you know where they're going. You can inspect a suspicious link using your browser's inbuilt tools.
  4. Password. Make it strong, make it unique, and never reuse it. However, remembering all those passwords is difficult—no one would argue against that. That's why you should check out a password manager tool to help you remember and better secure your accounts.
  5. Scams. There are a lot of scams on the internet. If it seems too good to be true, it probably is. Criminals and scammers are adept at creating swish websites with polished parts to whoosh you through a scam without realizing it. Don't believe everything you read online.

Staying safe online doesn't have to be a full-time job, and you don't have to worry every time you fire up your computer. Taking a few security steps will drastically boost your online security.