The Dirty Dozen Vendors Deluging Your Vulnerability Management Team

We’ve all heard about the 80/20 rule in business. But in vulnerability management, it may be more like the 54/12 rule. According to a new report out last week by vulnerability intelligence firm Risk Based Security, in 2017 about 54% of all new vulnerabilities came from just 12 vendors.

It’s a heady list of the who’s who in enterprise systems, with plenty of obvious contenders and a few surprises, too. The top 12 based on volume of catalogued vulns is as follows:

  1. Oracle
  2. SUSE
  3. Google
  4. Red Hat
  5. Canonical
  6. IBM
  7. Microsoft
  8. Samsung
  9. Apple
  10. Cisco
  11. Adobe
  12. HPE

Among this collection of vendors, the typical severity of vulnerabilities was medium, with an average CVSSv2 score of 6.54. There were a couple of outliers when it comes to average severity–namely from Adobe and HPE. While these firms had the fewest enumerated vulnerabilities, they had a much stronger concentration of high severity flaws. Adobe’s average CVSSv2 score was 8.01 and HPE’s was 7.13. This is just a speculation, but given this inverse relationship between volume and severity rating, this could be a reflection on the disclosure and patch release policies of these two organizations rather than an indication of their true vulnerability posture.


Source: Risk Based Security, Year-End 2017 Vulnerability QuickView Report

When it comes to vendors with the highest volume of very severe vulnerabilities–with scores of 9.0 to 10.0–the mix changes. Top five vendors here were Google, SUSE, Canonical, Red Hat and SGP (a subsidiary of Silent Circle).

Overall, the fact that just a few vendors dominate the found vulnerability database for 2017 is probably a good sign for the industry. It’s likely an indication that these larger vendors are getting better at finding vulnerabilities in their software and responding to external discoveries by independent security researchers. According to this report, coordinated vulnerability disclosure has been on the uptick since 2013. Since then the number of coordinated vulnerabilities has increased by 16.7 percentage points based on the vulnerabilities aggregated, according to Risk Based Security.

“One factor in this increase is the rising popularity of GitHub, where users can submit issues to the software vendor/developer directly,” the report explains. “While the information is made public right away, many developers do not specify any other method to report an issue, even if it has a security impact. So researchers following the developer’s guidelines and reporting issues via the bug trackers is coordinated.”

Last year, about 45% of vulnerabilities came as the result of coordinated disclosure, and another 19% from uncoordinated disclosure–figures that show how important vendor outreach to the security community is in addressing the kinds of flaws that impact their customers.

Overall, Risk Based Security published 20,832 vulnerabilities last year, a sizeable 31% increase over 2016. Among this total pool of security flaws, 39% had a CVSSv2 score of above 7.0 and 49% could be exploited remotely. Among the total list of flaws, just under a quarter of them have no known solution. 

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Ericka Chickowski. Read the original post at:

Ericka Chickowski

An award-winning freelance writer, Ericka Chickowski covers information technology and business innovation. Her perspectives on business and technology have appeared in dozens of trade and consumer magazines, including Entrepreneur, Consumers Digest, Channel Insider, CIO Insight, Dark Reading and InformationWeek. She's made it her specialty to explain in plain English how technology trends affect real people.

ericka-chickowski has 90 posts and counting.See all posts by ericka-chickowski