According to a study by NSS Labs, four digits are enough for the time being
In January, the MITRE Corporation announced that starting with January 1, 2014, the Common Vulnerabilities and Exposure (CVE) syntax would be changed so that a larger number of vulnerabilities could be tracked in a single year.Now, the CVE syntax supports only 9,999 unique bugs. That’s because the current syntax is CVE-YYYY-NNNN, where YYYY represents the year and NNNN a unique identifier.
Three options for a new ID syntax have been proposed and the public can comment on them by sending an email to email@example.com.
The results of a study released on Monday by NSS Labs shows that, for now, 9,999 unique identifiers are enough. However, the company believes that more vulnerabilities are expected on the long term, so the changes proposed by MITRE are welcome.
So far, most vulnerabilities, 6,462, have been identified in 2006. The number has been steadily decreasing even since, until 2012, when over 5,200 security holes were disclosed.
NNS’s study also shows that over 90% of the security bugs reported in 2012 are moderately or highly critical, while 9% of the reported flaws are extremely critical.
On average, only one percent of the vendors whose software was impacted accounted for 31% of the total of vulnerabilities disclosed per year.
Compared to the average disclosures of the last 10 years, only one of the top 10 companies managed to reduce vulnerability disclosures in 2012.
Interestingly, vulnerability disclosures in Microsoft and Apple operating systems dropped by 56%, respectively 53% compared to the previous year.
It’s also worth noting that the bugs identified in industrial control systems increased 6 times from 2010 to 2012.
Here’s a video in which NSS shows the 2012 evolution of vulnerability disclosures by vendor. Each dot represents a specific vulnerability, while the clusters represent the vendor with multiple disclosed security holes.