NopSec's 2018 report offers an analysis into current trends in vulnerability risk management. It examines the attributes of security vulnerabilities viewed through a variety of lenses:
  • • Attributes of vulnerabilities published since 2002 versus those only recently published
  • • Attributes of all vulnerabilities published in the National Vulnerability Database (NVD) in contrast with only those uploaded into our platform by our clients
  • • Vulnerabilities broken down by industry vertical, CVSS score, product vendor and active exploitation in the wild


Current Vulnerability Landscape (NVD)
44% of CVEs associated with malware were scored as medium or low on the CVSS scale, suggesting that focusing solely on CVEs with high scores (7+) would be a mistake.
NopSec Client Base Data Vulnerability Landscape
Only half of the Top 20 vulnerabilities derived from NopSec client data can be fixed with a patch. The remainder represent configuration issues to be fixed or insecure cryptographic algorithms or protocols to be disabled.
NopSec's Risk Prediction

NopSec has found that the language used in CVE descriptions lends clues to the fate of vulnerabilities. For example, approximately half of all descriptions of vulnerabilities linked to malware include words “allows remote”