JerryGamblin.com

A New Era of Transparency for CVE Data Quality

August 14, 202563 Views

I’m incredibly excited to finally share something I’ve been pouring my heart into at RogoLabs. For those of you who caught my talk at BSidesLV, you got a sneak peek, but today it’s official: CNAScorecard.org is live!

For years, the CVE program has been our shared language for identifying vulnerabilities. But lately, we’ve all felt the growing pains. We’re seeing more CVEs with incomplete, vague, or missing data. This isn’t just a small problem; it’s a huge one that leads to alert fatigue, slow response times, and automated tools that simply can’t do their jobs.

The recent NVD backlog shined a spotlight on this issue. Thousands of CVEs were left unanalyzed, lacking critical CVSS scores and CPE data. The truth is, the responsibility for data enrichment has shifted back to the CVE Numbering Authorities (CNAs), and many simply haven’t been providing this level of detail for over a decade.

This is precisely the challenge RogoLabs was created to solve. Moving beyond just counting vulnerabilities and focusing on measuring the quality and completeness of that data. CNAScorecard.org is a core part of this mission, alongside my other projects like CVE.icu, a platform for exploring vulnerability data, and CVEForecast.org, an open-source tool that predicts annual CVE volume.

The Four Pillars of a Truly Useful CVE

A CVE needs more than a basic ID to be actionable. It needs solid information across four key pillars:

The Weakness (CWE): This identifies the root cause of the vulnerability (e.g., SQL Injection), helping us understand why it exists.
The Product (CPE): This is how we precisely identify affected software (e.g., cpe:/a:apache:http_server:2.4.54). Without a complete CPE, your scanners are flying blind. In 2024 alone, more than 14,000 CVEs were published without a CPE—more than the previous four years combined.
The Severity (CVSS): This gives you a score (0.0-10.0) to prioritize a vulnerability. Without it, you’re left guessing which issues to tackle first.
The Fix (Patch Info): The ultimate goal is to fix vulnerabilities. A CVE without a clear path to a solution—like a vendor advisory, patch link, or code commit—is just a problem statement, not a solution.

Introducing CNAScorecard.org

The old saying holds true: you can’t improve what you don’t measure. CNAScorecard.org is a public, data-driven scorecard for every CVE Numbering Authority. It gives us the objective measurement we need to demand better data across the board and helps you identify which sources you can truly trust.

The system is open-source, updates every six hours, and focuses on the last six months of CVE data to keep the information current. It scores CVE records against the four pillars, rolling those scores up into an overall quality grade for each CNA.

A Look at the Initial Data

The first results are eye-opening:

Foundational Completeness: 100.0%
Root Cause Analysis (CWE): 87.4%
Severity & Impact (CVSS): 88.4%
Software Identification (CPE): 2.0%
Patch Information: 4.8%

These low scores for CPE and patch links highlight a critical problem. They lead to impaired automation, endless manual research, and inaccurate reporting for security teams everywhere.

How This Helps You

CNAScorecard.org is designed to empower everyone in the security community.

For Defenders: Use these scores to quickly identify and act on complete CVEs. The CNA grades are a powerful trust metric for evaluating your vendors.
For CNAs: This is a clear benchmark to see how your disclosure processes stack up against your peers. It’s a roadmap for improvement, showing you exactly where you can enhance your data quality. High-quality disclosure is a key driver of customer trust.
For the Ecosystem: We’re providing a continuously updated, public metric for the health of the CVE program. This brings much-needed accountability to a federated system.

Get Involved

This project isn’t just about a website; it’s about building a better, more transparent future for vulnerability management. Every line of code, every data point, and every score on CNAScorecard.org is part of a larger mission to improve the CVE ecosystem for everyone. With the right tools and a collaborative community, we can solve the challenges facing our industry.

The entire codebase is available on GitHub, and we’d love for you to contribute, provide feedback, or use it to build your own solutions.

Vegas Bound for Security Summer Camp!

July 30, 202587 Views

It’s that time of year again! The first week of August means my annual trip to the desert for “Security Summer Camp”—the whirlwind of BSides Las Vegas, Black Hat, and DEF CON. It’s always an exhausting but amazing week, and I can’t wait to dive in, catch up with everyone, and talk about what I’ve been working on.

This year, I’m excited to be giving two talks that dig into the weeds of the CVE ecosystem.

My Talks in Vegas

I’ll be on stage at both BSidesLV and the AppSec Village at DEF CON.

Event	Talk Title	The Gist	When & Where
BSides Las Vegas	“The Art of Concealment: CVE’s Challenge with Transparency”	A 20-minute dive into the “broken promise” of the CVE system. I’ll break down the four pillars of an actionable CVE (Weakness, Product, Severity, Fix) and show how incomplete data is breaking our automated tools. I’ll also introduce CNAScoreCard.org, a new RogoLabs project to bring transparency and accountability to the ecosystem by measuring data quality.	Tues, Aug 5 @ 2:30 PM at the Tuscany Suites & Casino
AppSec Village at DEF CON 33	“CVE Crisis: Navigating the Post-NVD Monolith Era”	A look at the bigger picture of our strained disclosure ecosystem now that the NVD is no longer the single source of truth. With the institutional power shifting to CISA, I’ll cover how to navigate this new fragmented landscape by integrating multiple intelligence sources (CISA KEV, open-source, commercial feeds) and moving to a true risk-based vulnerability management model.	Friday Afternoon, Aug 8 at the AppSec Village

Let’s Connect

The best part of this week is always the people. I’m genuinely looking forward to connecting, hearing what you’re working on, and trading stories from the trenches.

My passion project, RogoLabs, is all about bringing clarity to vulnerability intelligence through open-source tools like CVE.ICU. To celebrate that, I’ll have some of the very first-run RogoLabs stickers with me.

If you see me, please say hello! I’d love to chat about CVEs, vulnerability management, or anything else. Find me after one of my talks or just flag me down in the hallway.

You can find me on bsky, Twitter, or Mastodon (infosec.exchange) as @jgamblin or learn more about my work at RogoLabs.net.

See you in Vegas!

2024 CVE Data Review

January 5, 20256132 Views

2024 brought unprecedented growth in CVE data, so I figured it would be appropriate to start the new year by exploring these statistics and highlighting some of the more intriguing data points.

CVEs By The Numbers

We ended 2024 with 40,009 published CVEs, up over 38% from the 28,818 CVEs published in 2023.

On average, 108 CVEs were published each day.
May had the highest number of CVEs released, totaling 5,010 or 12.5% of all CVEs for the year.
Tuesdays emerged as the leading publishing days, accounting for 9,706 CVEs, or 24.3% of published CVEs.
May 3rd recorded the most CVEs released in a single day, with 824.

CVEs By Month

Month	CVEs	Percentage
January	2593	6.5
February	2778	6.9
March	3310	8.3
April	3622	9.1
May	5010	12.5
June	3080	7.7
July	3124	7.8
August	2900	7.2
September	2522	6.3
October	3573	8.9
November	4058	10.1
December	3439	8.6

CVEs By Day Of The Week

Day	CVEs	Percentage
Monday	6449	16.1
Tuesday	9706	24.3
Wednesday	7143	17.9
Thursday	6321	15.8
Friday	7100	17.7
Saturday	1858	4.6
Sunday	1432	3.6

Top 10 CVE Publishing Days

Date	CVEs
5/3/24	845
5/14/24	824
7/9/24	471
5/21/24	436
10/21/24	436
11/22/24	385
4/9/24	384
11/19/24	383
12/12/24	341
11/12/24	333

CVE Growth

For the seventh consecutive year since 2017, we witnessed a record high of 40,009 CVEs published, marking a 38.83% increase from 2023. This means that 15.32% of all CVEs released occurred in the previous year.

CVE CVSS Scores

The Common Vulnerability Scoring System (CVSS) offers a way to capture the key characteristics of a vulnerability and generate a numerical score that ranges from 0.0 to 10.0, reflecting its severity. This year, the average CVSS score was 6.67.

A total of 231 vulnerabilities achieved a “perfect” score of 10.0.

CVE-2024-2365 recorded the lowest published CVSS score of 1.6.

CPE

Common Platform Enumeration (CPE) is a systematic naming convention for IT systems, software, and packages that facilitates identifying vulnerable software listed in a CVE.

This year, 19,807 distinct CPEs were recorded in CVEs, with the most prevalent being cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, which was referenced 8,093 times.

CVE-2024-20433, related to a vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software, has the highest number of CPEs at 2,434 unique, vulnerable configurations.

CNA

CVE Numbering Authorities (CNAs) consist of software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups that the CVE Program authorizes to assign CVE IDs to vulnerabilities and publish CVE Records within their designated scopes of coverage.

There are 433 CNAs, and 350 of them have published at least one CVE this year.

The Top 5 CNAs last year were:

CNA	Published CVEs	Overall Percentage
Patchstack	4,566	11.41
Kernel.org	4,325	10.81
Wordfence	3,525	8.81
Vuldb	2,936	7.34
Github	2,121	5.3

The top five CNAs this year were specifically established to report CVEs for open-source projects (VulDB, Kernel.org, and GitHub) or WordPress plugins (Patchstack and Wordfence). These five CNAs published 17,473 CVEs, accounting for 43.67% of all CVEs this year.

CWE

CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a benchmark for security tools, and a foundation for identifying, mitigating, and preventing weaknesses.

There are 940 CWEs, and 237 were assigned to CVEs this year. CWE-79 was the most assigned CWE and was assigned 6,227 times, or 15.56% of all CVEs. NVD didn’t assign a CWE (NVD-CWE-noinfo or Missing_Data) 6,292 times or 15.73% of all CVEs.

Notes

695 Rejected CVEs have been removed from the dataset this year.

This GitHub repository contains Jupyter notebooks with all the data and visualizations utilized in this blog.

CVE.ICU is an open-source project that I manage, tracking most of the aforementioned data points in real-time throughout the year, should you wish to stay updated with the data.

Celebrating 25 Years of CVE’s

October 30, 2024464 Views

The Common Vulnerabilities and Exposures (CVE) program, launched in late October 1999, has not only marked its presence but has become a pivotal force in shaping how we perceive and manage cybersecurity threats.

A Journey Through Time

The CVE program emerged as a beacon, standardizing how vulnerabilities are identified, shared, and mitigated. From its inception with just 321 entries, it has ballooned to over 240,000 records, showcasing a remarkable evolution from simple bug tracking to a sophisticated vulnerability management system.

The Impact of CVE

Over these 25 years, CVE has revolutionized cybersecurity:

Global Collaboration: CVE’s framework has fostered an international community where vulnerabilities are reported and collaboratively addressed. This spirit of sharing knowledge has directly contributed to enhanced global cyber resilience.
Standardization: Before CVE, describing a vulnerability could vary wildly, leading to confusion and missed patches. Now, a CVE identifier provides a universal language, ensuring that everyone is on the same page when a vulnerability is mentioned.
Proactive Defense: By cataloging vulnerabilities, CVE allows for proactive patching and mitigation strategies, turning reactive cybersecurity into a more predictive and preventive practice.

Celebrating Milestones

This anniversary isn’t just about numbers; it’s about milestones:

Growth: From a nascent project to a mammoth database, CVE’s growth mirrors the expansion of the internet itself.
Community: Over 400 CVE Numbering Authorities (CNAs) across 40 countries now contribute, showcasing a vibrant, global effort in cybersecurity.
Innovation: The program has not just adapted but led with innovations like the integration with other standards bodies, enhancing its reach and effectiveness.

Looking Ahead

As we celebrate, we also look to the future. Cybersecurity is an ever-evolving battlefield, with new technologies like AI, IoT, and quantum computing on the horizon. CVE’s role will only grow, adapting to these changes and ensuring that as the digital landscape expands, so will our ability to secure it.

Conclusion

The 25th anniversary of the CVE program is more than a celebration; it reflects how far we’ve come in fortifying our digital lives. Here’s to the CVE program for identifying vulnerabilities and empowering us all to build, innovate, and connect with greater confidence in our digital future. Here’s to another 25 years of vigilance, innovation, and collaboration in cybersecurity.

Who Is Going To Enrich CVEs?

May 30, 2024827 Views

The Last 100+ Days

The NVD posted the notice below on its webpage in mid-February. Since then, nearly 13,000 CVEs have not been enriched with CWE, CVSS, and CPE data.

The vulnerability management community was told that it would be addressed at Vulncon this year. At the conference, we were told the enrichment would restart “in the next couple of days” and that a “consortium was being founded” to help guide the NVD. I left hopeful about the NVD’s future and tried hard to present a positive outlook. I spent time defending NVD as the source of the truth at work and in the community, waiting for the enrichment to continue, and closely tracking the backlog as it grew.

I patiently waited for an announcement about the consortium and for the enrichment of CVEs to start again. Neither happened (The NVD did analyze 167 CVEs in April, but 120 CVEs per day were published). On April 25th, the NVD posted an update saying it was still committed to enriching CVEs.

At RSAC in May, CISA announced they would start a program called Vulnrichment and enrich all CVEs that a CNA did not. They have started publishing CVE data they produced in a GitHub Repository and will start publishing it directly to CVE records as an Authorized Data Publisher (ADP). A week ago, I sat through a CVE Automation Working Group meeting where they walked through the plan, and I was once again hopeful that this would help elevate the backlog of CVEs needing enrichment and make their ADP the new source of truth for enrichment data. I started sharing this information and consulting people they would need to update their products to use the new CVE 5.1 Schema to ingest this data.

Yesterday, the NVD posted an announcement on its website stating that it had awarded a contract for additional processing support. The additional support would allow them to return to the processing rates they maintained before February 2024 within the next few months. They will work with CISA to eliminate the backlog by September 30th.

So, Who Is Going To Enrich CVEs?

In the last 100 days, I have spent a lot of professional equity telling people:

We Will Know After Vulncon.
NVD Announced They Will Start Enriching CVEs In A Few Days.
I Don’t know What Is Going On With NVD.
CISA Announced They Are Doing Vulnrichment.
NVD Announced They Will Start Enriching CVEs In A Few Months.

At this point, I don’t know who will enrich CVE data in the future, how they will do it, or whether the data will be correct or useful. This is a terrible place to be.

Predicting CVEs in 2024

January 5, 20241341 Views

Every year, I get asked, “How many CVEs do you think will be published this year?“

I am always willing to take a guess, but last year, I read Time Series Forecasting in Python. As I started to read more about the Kalman Filter, I figured it would work great for predicting CVE growth, so I built a simple model to test it out.

2024 Prediction

My 2024 CVE model using the Kalman Filter is predicting 32,600 published CVEs.

Here is the monthly breakdown:

2023 Review

The model for 2023 underestimated the number of CVEs by 1,670, which I felt was really good for the first attempt.

What is the Kalman Filter?

The Kalman Filter algorithm uses a series of measurements observed over time to produce estimates that tend to be more accurate than those based on a single measurement alone. In essence, it helps predict the future state of a system based on its current state and past trends.

What Python Library Did You Use?

I have been using Darts by Unit8 as it is fully featured and easy to implement.

Code

All the code for this blog post is in this Github Repository, and I plan on automating and updating it as I get more time.

2023 CVE Data Review

January 3, 20247393 Views

2023 marked another year of record growth in CVE data, and I thought it fitting to kick off the new year by delving into these statistics and showcasing some of the more interesting data points.

CVEs By The Numbers

We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.

On average, there were 79.18 CVEs published per day.
October was the month with the most CVEs published, with 2,690 or 9.3% of all CVEs for the year.
Tuesdays were the top publishing days, with 6,438 CVEs or 22.3% of all CVEs published.
January 26th had the most CVEs published in a single day, with 348.