Vulnerabilities (CVEs) Reserved per Year as a Proxy for US Economic Conditions and Outlook – Vulnerability Blog
This blog covers all things security, with a heavy focus on vulnerabilities, security assessment, open source intelligence (OSINT), and offensive security, with a strong emphasis on real world examples and scenarios. This blog will review security tooling, tactics, techniques, and technical deep dives into relevant security and technology topics. Join our discord for free to learn from the best in Cybersecurity!
While conducting my review of all CVEs published in 2024 (coming soon!) I noticed an interesting trend: years where CVEs fell compared to prior year correlated to poor economic conditions. in the US This article will attempt to describe the connection between the two data points.
TL;DR — Corporate spending on Cybersecurity often is tied to economic outlook. Higher spend in Cybersecurity generally results in more vulnerabilities (CVEs) published per year. A decrease of >0.4% is an exception and aligns with high unemployment rates.
For the purposes of this discussion we will be using the Reserved CVE ID totals per year found <here>. This number is the true denominator of what each CNA has been sent each year. A CVE can be in a “Reserved” state, “Published”, or “Rejected” state. Whether a CVE is Published or Rejected is less important than someone submitting for the CVE in the first place, because it indicates that work was completed by a researcher.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25431704/STK201_SAM_ALTMAN_CVIRGINIA_C.jpg)
