Vulnerabilities are weaknesses leveraged by adversaries to compromise the confidentiality, availability or integrity of a resource. The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and complexity of the associated exploit or attack.

Standardization in the description of vulnerabilities contributes not only to effective threat intelligence sharing but also to potentially efficient threat management if organizations, vendors and security researchers employ vulnerability management techniques and practices to actively seek to discover the vulnerabilities and respond in a timely fashion.

Significant efforts are being made to standardize this information to reduce communication barriers and complexity, leading to a more effective analysis of vulnerabilities and a better understanding of the context within which different vulnerabilities are discovered.

However, due to the challenges of categorizing vulnerabilities, these efforts are fraught with difficulty. Vulnerability data can be incomplete, inaccessible or inaccurate, and the quality of the resulting information has an impact on decision making, policies, and practices. Moreover, the vulnerability disclosure is influenced by a variety of factors, including financial incentives, the agenda of the disclosing stakeholder and the interaction of the various actors. Additionally, it’s important to note that this is all performed in a highly dynamic information security market.

The ENISA Report on the State of Vulnerabilities

To identify and highlight all the issues pertaining to effective vulnerability information sharing, ENISA collaborated with CERT-EU and academia to analyze and provide insight into both the opportunities and limitations that the vulnerability ecosystem offers.

Using the vulnerabilities published during the year of 2018 and Q1-Q2 of 2019 as a vehicle, the ENISA “State of Vulnerabilities 2018/2019” report attempts to answer questions related to the reliability, accuracy of the vulnerability sources and (Read more...)