Vulnerability Disclosures Drop in Q1 for First Time in a Decade

  /     /     /  
Publicated : 23/11/2024   Category : security

Vulnerability Disclosures Drop in Q1 for First Time in a Decade


Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.


The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.
While the drop occurred in the same quarter that the coronavirus pandemic caused many companies to start moving employees to remote work, there is no clear connection or mechanism for why there would be fewer vulnerabilities, says Brian Martin, vice president of intelligence for Risk Based Security.
Everything that is an outlier for us is due to COVID-19, he says. But based on that, I could give you reasons why the numbers should be higher or should be lower because you can argue either way based on theories of COVID-19s impact.
The
report
is a snapshot in time of where the annual vulnerability count stands. While the overall count for the quarter may decline, one major finding is that some software companies strategy of releasing vulnerabilities on the second Tuesday of the month — so-called Patch Tuesday — is starting to overburden IT security teams, Martin says.
We do notice that Patch Tuesdays are getting worse and worse, he says. Administrators and security teams are going to experience more of a problem on these Tuesdays because they have to triage more and more vulnerabilities.
The counting of publicly disclosed vulnerabilities varies among the organizations that track software flaws. The National Vulnerability Database run by the National Institute of Standards and Technology, for example,
shows 7,950 recorded vulnerabilities
so far in 2020 and appears to be on track to match last years count. 
The first-quarter vulnerability count is a running total. Risk Based Security and MITRE both backfill their database with information on software flaws that may have been disclosed in the first quarter but were not initially counted. Based on previous trends, RBS expects the true count of vulnerabilities to land around 6,100 for the first quarter of 2020, down from an estimated final count of about 6,400 for the first quarter of 2019.
The company does not expect a final count to emerge until about three years later, according to the report.
This trend is fairly consistent, and the end result is that we see our raw count — the one we publish fresh off the press — mature to a steady future state within a period of three years, according to the RBS report.
The most likely explanation for the drop is some impact on software companies or on vulnerability researchers due to COVID-19 and the move for many companies to remote work, Martin says. 
Yet the impact of COVID-19 could result in plausible explanations for a drop or for an increase, he says. Disruptions at work and reductions in security workers through layoffs could lead to fewer vulnerability reports being triaged and disclosed. However, with more time to pursue projects and the need to have additional wins on their resumes, vulnerability researchers could spend more time looking for security issues, he says.
In this quarter, we know for sure that some security teams got cut back, and we still see these security companies losing people, Martin says. Yet researchers who are out of work may go back to vulnerability research to put something on their resume. It could go either way.
Overall, Martin expects more clarity later in the year as more vulnerabilities found during the height of the initial surge of the pandemic in the first half of 2020 come to light. 
It is very difficult to say at this point, because we have just finished up with Q1, and it is so soon after COVID, he says. We are close to on par for last year. It may have been a case with it just being a slow first quarter.
Related Content:
How Enterprises Are Developing and Maintaining Secure Applications
Attackers Adapt Techniques to Pandemic Reality
Microsoft Fixes 111 Vulnerabilities for Patch Tuesday
More Than 22,000 Vulns Were Disclosed in 2018, 27% Without Fixes
Vulnerabilities Dip 7%, but Researchers Are Cautious
How Cybersecurity Incident Response Programs Work (and Why Some Dont)
 
 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really  bad day in cybersecurity. Click for 
more information and to register


Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Vulnerability Disclosures Drop in Q1 for First Time in a Decade