This is the second of a four-part series examining the period of time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database. In this installment, we explore how common industry frameworks leave security teams with blind spots — and discuss how Tenable can help.
Knowledge rests not upon truth alone, but upon error also.—Carl Jung
Each year, cybersecurity teams around the world face an onslaught of new vulnerability disclosures affecting the software and systems in use in their organizations. In 2022 alone, more than 25,000 vulnerabilities were disclosed, nearly a 20% increase over the prior year.
The common frameworks organizations rely upon to evaluate vulnerabilities and prioritize which ones to fix first have become de facto standards. But they also leave security professionals with significant blind spots that serve to increase risk.
In this blog, we examine one of those blind spots: the gap in time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database (NVD). Of the 25,000+ vulnerabilities discovered last year, 295 were observed to be exploitable before they were fully disclosed on NVD.
Why is this a concern? Because busy cybersecurity professionals rely on those full NVD disclosures to make their remediation decisions. But attackers don’t wait. They’re ready to pounce as soon as a vulnerability is first discovered, leaving organizations with security gaps that can range from mere days to several months.
We believe these findings offer the valuable context that cybersecurity practitioners need to evolve their vulnerability management practices to embrace a risk-informed view of the expanding attack surface. This is the first step in the journey toward embracing a full exposure management program.
Glossary of terms
What does “ahead of NVD plugin coverage” mean? | “Ahead of NVD plugin coverage” means that Tenable products provided coverage before (or on the same day) a CVE was fully disclosed on NVD. |
What does “ahead of NVD VPR coverage” mean? | “Ahead of NVD VPR coverage” means that Tenable products provided a Vulnerability Priority Rating (VPR) before (or on the same day) a CVE was fully disclosed on NVD. |
Why are these classifications important? | Both plugin coverage and VPR are critical tools for security teams to practice preventive cybersecurity. The plugins made available in Tenable products prior to a vulnerability being fully disclosed on NVD provide security teams with the ability to mind the gap, while the VPR scoring system provides an alternate method cybersecurity teams can use to prioritize vulnerabilities for remediation. The generation of a VPR score is essential for vulnerabilities that have not yet been fully disclosed in NVD and for which CVSS scores are lacking. |
What does it mean to security professionals? | Rapid response By inspecting, disclosing and providing detection tools and guidance in a timely manner, Tenable Research enables security professionals to rapidly respond to the vulnerabilities that represent the greatest risk to their systems. Comprehensive intelligence Tenable Research maintains a continuously updated and context-rich data set of intelligence that feeds our products, enabling a best-in-class customer experience for security professionals. Proactive risk identification and remediation Tenable Research is constantly analyzing vulnerabilities to evaluate their risk to organizations as well as providing proactive remediation guidance, ensuring that security professionals have the tools they need to reduce risk on a proactive and continuous basis. |
22 years of Tenable plugin coverage ahead of NVD
We analyzed historical data to show the full scope of the gap and how it affects common software in use at many organizations. Between Jan. 1, 2000, and Dec. 31, 2022, Tenable has provided plugin coverage ahead of NVD for 32,862 vulnerabilities, of which 531 had not yet been fully disclosed in NVD (as of Dec. 31, 2022).
To show the full scope of the coverage gap facing cybersecurity teams, we also analyzed 16 software vendors whose products are commonly used in many large organizations. Fig. 1 shows the number of CVEs per vendor for which Tenable provided plugin coverage either prior to or on the same day a vulnerability was fully disclosed on NVD during the period of Jan. 1, 2000 – Dec. 31, 2022. Among these vendors, we found there was an average delay of 117 days between when a vulnerability was first discovered and when it was fully disclosed on NVD.
Fig. 1
Vendor | Plugin coverage ahead of NVD | Total plugin coverage | % of plugins released ahead of NVD | Avg delay observed in days |
Adobe | 278 | 4,271 | 6.5% | 21 |
Amazon | 368 | 5,342 | 6.9% | 161 |
Apple | 1,047 | 5,842 | 17.9% | 73 |
CentOS | 392 | 5,972 | 6.6% | 125 |
Cisco | 104 | 2,477 | 4.2% | 177 |
Debian | 578 | 8,288 | 7% | 85 |
525 | 3,239 | 16.2% | 35 | |
IBM | 259 | 1,603 | 16.2% | 154 |
Microsoft | 394 | 8,597 | 4.6% | 18 |
Mozilla | 76 | 2,593 | 2.9% | 175 |
Oracle | 1,439 | 13,575 | 10.6% | 173 |
Red Hat | 1,144 | 12,855 | 8.9% | 124 |
Slackware | 51 | 539 | 9.5% | 298 |
Solarwinds | 12 | 67 | 18% | 69 |
Suse Linux | 216 | 3,5611 | 6.1% | 133 |
VMWare | 49 | 535 | 9.1% | 55 |
Reference period: January 1, 2000 - December 31, 2022
Source: Tenable Research, April 2023
In the reference time period (2000 - 2022), the top five vendors for which Tenable filled the biggest percentage of plugin coverage ahead of the vulnerabilities being fully disclosed on NVD are:
- Apple (17.4%)
- Google (16.3%)
- IBM (16.2%)
- Solarwinds (12.9%)
- Slackware (11.0%)
In 2022 we observed the following (cumulative) assets:
- 15+ million running Apple software
- 97+ million assets running Google software
- 16+ million assets running IBM software
- 500.000+ assets running Solarwinds software
About The Mind the Gap series
This four-part Mind the Gap blog series is a valuable resource for security professionals that provides an overview of the observed vulnerability landscape with a focus on vulnerabilities discovered by Tenable Research before detailed information appeared on the NVD. This series stems from the analysis of our own dataset, one of the most extensive and rich datasets in the industries. Through the years, we gathered a broad knowledge of the vulnerability landscape, enmeshed with Tenable Research-specific insights and reporting capabilities.
Other blogs in this series:
- Mind the Gap: How Waiting for NVD Puts Your Organization at Risk
- Mind the Gap: A Closer Look at the Vulnerabilities Disclosed in 2022
- Mind the Gap: A Closer Look at Eight Notable CVEs from 2022