NVD provides a list of all CVEs that anyone can download. You can download them by year in JSON format or XML format, set up an RSS feed, or even search their database. Using this data, I can count the vendor with the most vulnerabilities and using that, I can consider them to be insecure, right?
The truth is, not so much. These are reported vulnerabilities. Someone made a report and a CVE was created. This says nothing about the vulnerabilities that could be in the software but weren’t reported.
And it isn’t just this vendor. It’s possible that the software you use every day has multiple vulnerabilities that were fixed and not reported. It’s also possible it has vulnerabilities that weren’t fixed and not reported. And that’s assuming the vulnerabilities were found.
Every piece of software has vulnerabilities, the question is, did someone go look for them and if they did, did they report them? Malicious actors find vulnerabilities to use for their actions and they certainly don’t want them fixed, so they aren’t going to report them to anyone.
The point of this is that the tendency to conflate the number of vulnerabilities with the number of CVEs a product has is wrong. CVEs are just those that have been reported, it’s not an indication at all of the number of vulnerabilities in a product.
Incorrect assumptions, such as this one, can harm research. We want to research vulnerabilities but we’re hampered by the lack of data and the lack of usable data. We shouldn’t let this lead us into using incorrect assumptions because the results aren’t usable.
DTRAP welcomes research into vulnerabilities but you have to be careful of your assumptions and your data.