The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.
While the drop occurred in the same quarter that the coronavirus pandemic caused many companies to start moving employees to remote work, there is no clear connection or mechanism for why there would be fewer vulnerabilities, says Brian Martin, vice president of intelligence for Risk Based Security.
"Everything that is an outlier for us is due to COVID-19," he says. "But based on that, I could give you reasons why the numbers should be higher or should be lower because you can argue either way based on theories of COVID-19's impact."
The report is a snapshot in time of where the annual vulnerability count stands. While the overall count for the quarter may decline, one major finding is that some software companies' strategy of releasing vulnerabilities on the second Tuesday of the month — so-called Patch Tuesday — is starting to overburden IT security teams, Martin says.
"We do notice that Patch Tuesdays are getting worse and worse," he says. "Administrators and security teams are going to experience more of a problem on these Tuesdays because they have to triage more and more vulnerabilities."
The counting of publicly disclosed vulnerabilities varies among the organizations that track software flaws. The National Vulnerability Database run by the National Institute of Standards and Technology, for example, shows 7,950 recorded vulnerabilities so far in 2020 and appears to be on track to match last year's count.
The first-quarter vulnerability count is a running total. Risk Based Security and MITRE both backfill their database with information on software flaws that may have been disclosed in the first quarter but were not initially counted. Based on previous trends, RBS expects the true count of vulnerabilities to land around 6,100 for the first quarter of 2020, down from an estimated final count of about 6,400 for the first quarter of 2019.
The company does not expect a final count to emerge until about three years later, according to the report.
"This trend is fairly consistent, and the end result is that we see our 'raw count' — the one we publish fresh off the press — mature to a steady future state within a period of three years," according to the RBS report.
The most likely explanation for the drop is some impact on software companies or on vulnerability researchers due to COVID-19 and the move for many companies to remote work, Martin says.
Yet the impact of COVID-19 could result in plausible explanations for a drop or for an increase, he says. Disruptions at work and reductions in security workers through layoffs could lead to fewer vulnerability reports being triaged and disclosed. However, with more time to pursue projects and the need to have additional wins on their resumes, vulnerability researchers could spend more time looking for security issues, he says.
"In this quarter, we know for sure that some security teams got cut back, and we still see these security companies losing people," Martin says. "Yet researchers who are out of work may go back to vulnerability research to put something on their resume. It could go either way."
Overall, Martin expects more clarity later in the year as more vulnerabilities found during the height of the initial surge of the pandemic in the first half of 2020 come to light.
"It is very difficult to say at this point, because we have just finished up with Q1, and it is so soon after COVID," he says. "We are close to on par for last year. It may have been a case with it just being a slow first quarter."
- How Enterprises Are Developing and Maintaining Secure Applications
- Attackers Adapt Techniques to Pandemic Reality
- Microsoft Fixes 111 Vulnerabilities for Patch Tuesday
- More Than 22,000 Vulns Were Disclosed in 2018, 27% Without Fixes
- Vulnerabilities Dip 7%, but Researchers Are Cautious
- How Cybersecurity Incident Response Programs Work (and Why Some Don't)