Even if in this field there are many security companies and organizations, only very few of them are producing vulnerability databases, so useful against threats.
All the companies should produce it, by cataloging bugs and then reporting trends from the industry, based on the data they collect. In this way, they have the possibility to offer valorous information about the most common types of threats, as well as the locations where these threats are.
Because this data is so important, it must be permanently updated and maintained accurate, for the reports to be relevant. Otherwise, a wrong information can radically change the aspect of the report’s result. After the Google online security specialists have checked out the IBM X-Force 2010 Mid-Year Trend and Risk Report, they have surprisingly discovered many errors that have affected the conclusions of the report.
Google has a strong team for the Product Security Response and they are working especially with the high-risk and critical vulnerabilities. For this, they have made an analysis and they have found out that 33% of the uncovered critical and high-risk bugs were caused by a single unpatched vulnerability.
On the other hand, they have also discovered that the vulnerability considered the unpatched one, in fact there was not, because of a terminology mix-up. In this way, their conclusion is that the true unpatched rate is practically 0%.
Google thinks that, in order to make these databases more useful for their field, the vendors should collaborate more with the compilers. In this way, there will be the advantage that they have the opportunity to limit spreading wrong information.
The first thing it should be made is for the compilers to reach the vendors and together to find a relevant solution for the information flow. With a little bit of work, very soon we will see that the quality of the vulnerability trend reports will increase.11