Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:20 PM
Connect Directly

US-CERT Reports 17,447 Vulnerabilities Recorded in 2020

This marks the fourth year in a row that a record number of vulnerabilities has been discovered, following 17,306 in 2019.

The US-CERT Vulnerability Database has confirmed 17,447 vulnerabilities were recorded in 2020, marking the fourth consecutive year with a record number of security flaws published.

Related Content:

Corporate Credentials for Sale on the Dark Web: How to Protect Employees and Data

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

On Dec. 15, 2020, officials reported 4,168 high-severity vulnerabilities, 10,710 medium-severity vulnerabilities, and 2,569 low-severity vulnerabilities this year. In 2019, there were 17,306 flaws published: 4,337 high-severity, 10,956 medium-severity, and 2,013 low-severity vulnerabilities.

The continuous increase raises a question: Are developers pushing more unsecured code, or are white-hat hackers getting better at finding vulnerabilities? Given the current climate and the growing popularity of bug bounty programs, experts suggest both factors could be at play.

This year saw massive growth in crowdsourced security. In its recent "Priority One" report, security firm Bugcrowd reports a 50% increase in vulnerability submissions in the last 12 months compared with the year prior. These bug reports reflect a 65% increase in P1 submissions (the most critical vulnerabilities) and a 4% increase in the validity of submissions.

"Hackers are finding bugs with greater impact, and communicating them to affected organizations with greater accuracy," founder and CTO Casey Ellis wrote in a blog post.

Web applications make up the majority of vulnerabilities reported, but Bugcrowd data shows other categories are catching up as hackers diversify their skill sets to remain competitive in the ever-growing space. Submissions for all targets increased in 2020; notably, API vulnerabilities doubled and bugs discovered in Android targets more than tripled this year, researchers report.

The COVID-19 pandemic forced security practitioners into response mode, and the industry was at first preoccupied with keeping the lights on, changing work practices, and reprioritizing projects. However, as the industry grew accustomed to remote work and spent more time at home, Bugcrowd saw an increase in activity: Critical bug (P1) payouts jumped 31% between the first and second quarters of this year; P2 payouts increased 31% between quarters two and three.

HackerOne confirmed similar findings in its latest "Hacker Powered Security Report" earlier this year. More than a third of the 180,000 bugs found via HackerOne were reported in the past year. New hacker signups on the platform increased 59%, and submitted bug reports grew by 28%, in the months immediately following the start of the pandemic, researchers report. The businesses participating in crowdsourced security paid 29% more bounties in the same period.

This year has forced many businesses to rethink their vulnerability disclosure programs (VDPs), which have traditionally focused more on customer-facing assets and attack surfaces. Now they want more information on weaknesses in third-party systems or applications employees use on a regular basis. Many VDPs have grown to include back-end business support systems as well.

"It was nowhere near the norm, and that's quickly become the norm over the past few months," says HackerOne co-founder and CTO Alex Rice. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter."

The increased participation in crowdsourced security has certainly driven the number of bugs reported this year; however, it's worth noting the pandemic's effect on software development. Many organizations have had to rush applications through production, cutting down on quality assurance cycles and relying more heavily on third-party, legacy, and open source code, says Pravin Madhani, co-founder and CEO at K2 Cyber Security.

"Despite the emergence of DevSecOps and shift-left approaches, the number of vulnerabilities in released code continues to rise," he says. "Companies still struggle to find the balance between getting applications to market quickly and securing their code."

If the timing of vulnerability disclosures proved a challenge to your security team, you're not alone. Three times in 2020, Microsoft and Oracle rolled out security fixes on the same day. More patches are released on Patch Tuesday than any other day of the month, and this year has been a big one for Microsoft alone: In eight months of 2020, the company released more than 110 patches for its products and services; in June and September, the count was 129 fixes.

"The first thing I think of is just volume," says Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) about Patch Tuesday trends. "There's so many patches from Microsoft; it's just a record year for them. We're probably going to disclose a record amount of advisories in the ZDI."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
12/17/2020 | 12:58:37 PM
RE: record number of CVE Vulnerabilities in 2020
Interesting article, but I guess we shouldn't be surprised by the sheer number of CVE's in 2020.

Programmers are still not well trained in secure coding as the industry is more interested in quantity of code than security of code.

But the other problem is the actual elephant in the room: any computer or computer network that has internet access will forever be vulnerable and intrinsically insecure. Every networked device with an internet connection is either one or two user clicks away from compromise or just one determined Red Team's best efforts away from a successful breach. And we learn this lesson over & over again because we've become utterly dependent on an inherently insecure internet infrastructure.

This has become increasingly alarming because our personal information, intellectlual property, defense department data, financial information, and even the electronic door locks on our homes & businesses are all subject to remote attack and successful compromise. All the while, new internet connected products are released almost every day, and sales & marketing people run around selling "the cloud...the cloud". A cloud being a huge blindspot where almost anything could be happening that you won't see coming until the split second when it hits you.

So, we can make an educated guess and say with almost complete certainty that 2021 will report a new record number of CVE's. The beat goes on...

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.