Vulnerability Disclosure Data Sources
Before we dig into the vulnerability disclosure data, let me tell you where the data comes from and provide some caveats regarding the validity and reliability of the data. There are three primary sources of data that I used for this chapter:
- The CVE List: https://www.cve.org/
- The NVD: https://nvd.nist.gov/vuln/search
- CVE Details: https://www.cvedetails.com/
The CVE List is the de facto authoritative source of vulnerability disclosures for the industry. The NVD imports data from the CVE List and adds metadata to it (including metrics and scoring information) (CVE, 2020). The CVSS is used to calculate severity scores for each CVE imported into the NVD. However, this doesn’t mean the data in the CVE or the NVD is perfect, nor is the CVSS. I attended a session at the Black Hat USA conference in 2013 called “Buying into the Bias: Why Vulnerability Statistics Suck” (Brian Martin, 2013).
This...
