"Most Organizations Have Incomplete Vulnerability Information"

According to a new report released by Risk Based Security, if a company only uses the Common Vulnerabilities and Exposures (CVE) system or National Vulnerability Database (NVD) to gain insight into vulnerabilities, they are vulnerable to a significant number of security issues as 33% of disclosed flaws are missing from the CVE/NVD. Researchers at Risk Based Security have identified 5,970 more vulnerabilities than what is included in the CVE/NVD. Researchers also found that many of the disclosed flaws that are not reported in the CVE/NVD are considered to be high risk or critical. As the CVE/NVD only lists flaws disclosed directly by security vendors and researchers, thousands of flaws that are reported in other ways are not getting included in these sources. This article continues to discuss the absence of major security flaws in the CVE/NVD, the reliance on these sources for vulnerability information, the different ways in which researchers disclose flaws, and the companies that disclosed the most flaws in their products last year.  

Dark Reading reports "Most Organizations Have Incomplete Vulnerability Information"