The Dirty Dozen Vendors Deluging Your Vulnerability Management Team

We've all heard about the 80/20 rule in business. But in vulnerability management, it may be more like the 54/12 rule. According to a new report out last week by vulnerability intelligence firm Risk Based Security, in 2017 about 54% of all new vulnerabilities came from just 12 vendors.

It's a heady list of the who's who in enterprise systems, with plenty of obvious contenders and a few surprises, too. The top 12 based on volume of catalogued vulns is as follows:

1. Oracle
2. SUSE
3. Google
4. Red Hat
5. Canonical
6. IBM
7. Microsoft
8. Samsung
9. Apple
10. Cisco
11. Adobe
12. HPE

Among this collection of vendors, the typical severity of vulnerabilities was medium, with an average CVSSv2 score of 6.54. There were a couple of outliers when it comes to average severity--namely from Adobe and HPE. While these firms had the fewest enumerated vulnerabilities, they had a much stronger concentration of high severity flaws. Adobe's average CVSSv2 score was 8.01 and HPE's was 7.13. This is just a speculation, but given this inverse relationship between volume and severity rating, this could be a reflection on the disclosure and patch release policies of these two organizations rather than an indication of their true vulnerability posture.

Source: Risk Based Security, Year-End 2017 Vulnerability QuickView Report

When it comes to vendors with the highest volume of very severe vulnerabilities--with scores of 9.0 to 10.0--the mix changes. Top five vendors here were Google, SUSE, Canonical, Red Hat and SGP (a subsidiary of Silent Circle).

Overall, the fact that just a few vendors dominate the found vulnerability database for 2017 is probably a good sign for the industry. It's likely an indication that these larger vendors are getting better at finding vulnerabilities in their software and responding to external discoveries by independent security researchers. According to this report, coordinated vulnerability disclosure has been on the uptick since 2013. Since then the number of coordinated vulnerabilities has increased by 16.7 percentage points based on the vulnerabilities aggregated, according to Risk Based Security.

"One factor in this increase is the rising popularity of GitHub, where users can submit issues to the software vendor/developer directly," the report explains. "While the information is made public right away, many developers do not specify any other method to report an issue, even if it has a security impact. So researchers following the developer's guidelines and reporting issues via the bug trackers is coordinated."

Last year, about 45% of vulnerabilities came as the result of coordinated disclosure, and another 19% from uncoordinated disclosure--figures that show how important vendor outreach to the security community is in addressing the kinds of flaws that impact their customers.

Overall, Risk Based Security published 20,832 vulnerabilities last year, a sizeable 31% increase over 2016. Among this total pool of security flaws, 39% had a CVSSv2 score of above 7.0 and 49% could be exploited remotely. Among the total list of flaws, just under a quarter of them have no known solution.