Reported Software Vulnerabilities on Track to Break Record in 2017

The number of reported software flaws took off in 2017 and is on track for a record-breaking year, according to two organizations that track vulnerability disclosures.

The National Vulnerability Database, managed by the U.S. National Institute of Standards and Technology, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016.

Meanwhile, security-information firm Risk Based Security documented more than 18,700 vulnerabilities in 2017, an increase of more than a third compared to the same period in the previous year. Part of the increase is likely due to the fact that both the National Vulnerability Database and companies, such as Risk Based Security, are including a greater number of vulnerabilities in their datasets.

Yet, two other factors—a greater number of researchers focusing on vulnerabilities and a greater number of applications in which to find vulnerabilities are likely driving the trend as well, Jake Kouns, RBS’s chief information security officer, told eWEEK.

“There is no single answer, but we continue to get better at finding vulnerabilities,” he said. “We are looking deeper, so we are finding more, but we are also creating more software (in which) to find issues.”

While RBS has continued to find and collect a greater number of vulnerability reports each year, compared to previous years, the National Vulnerability Database’s volume of documented reports has remained quite consistent, logging between 4,000 and 6,500 vulnerabilities every year since 2005, with one notable exception. In 2014, the organization collected nearly 8,000 software-flaw reports.

Yet, with 2017 reports already exceeding 14,000, this year will stand out.

The year will also be a record-setter for VulnDB, RBS’s vulnerability database. The company’s collection of software flaws has grown every year, and includes more vulnerability reports than the U.S. government database on an annual basis. Just as the Dow hit 20,000 earlier this year, the number of vulnerabilities documented by RBS will likely hit that mark as well.

About 32 percent of vulnerabilities had a public exploit. In addition, 6.1 percent of vulnerabilities found in 2016 and 2017 were coordinated through vendor or third-party bug bounty programs.

While the greater number of vulnerabilities does not necessarily mean that software users are at greater risk, most major developers are on track to see a rise in the number of vulnerabilities reported in their software in 2017. In addition, there is a slightly greater percentage of severe vulnerabilities—those scoring 7.0 or higher in 2017 on the widely used, if flawed, Common Vulnerability Scoring System—compared to 2016.

The ballooning collection of security flaws underscores that users—or their IT administrators—need to keep their systems up to date. Yet, only 76 percent of vulnerabilities uncovered in the first nine months of 2017 have a patch, upgrade or other fix. While security products can help defend systems against attacks, they are not foolproof either since about 5 percent of vulnerabilities reported this year were in security products.