As long as the CVE remains the main index of known vulnerabilities, teams of security analysts and engineers will develop processes to track updates. They will not only track changes, but also enrich database with additional data to help them prioritise fixes accurately.
I recently came across the OpenCVE project, which provides an open-source platform for monitoring key vulnerability sources. What I find interesting about the platform is that, in addition to the standard severity and CVSS metrics, it regularly adds extra metrics to the CVE:
- EPSS (Exploit Prediction Scoring System): the probability that vulnerability will be exploited in real attacks within the next 30 days.
- SSVC (Stakeholder-Specific Vulnerability Categorisation): system of criteria that helps determine the urgency of problem.
- KEV (Known Exploited Vulnerabilities): catalogue of vulnerabilities that are already being exploited in real attacks.
Engineers building vulnerability management processes can use this platform to quickly receive relevant software updates. Information security researchers can track trends. I have also personally prepared simple dashboard that tracks updates in OpenCVE DB and provides the following insights:
- total number of known vulnerabilities and the classes that interest me, such as cloud bugs and problems in AI infrastructure
- moving average for new vulnerabilities, which allows me to track ‘outbreaks’ of critical issues
- top 10 high-risk vulnerabilities with exploits in the last 24 hours.
