Some of the results were surprising, like the Linux kernel having the most CVE vulnerabilities of all other products, while others were less surprising, like Microsoft being the vendor with the most vulnerabilities, or that the buffer overflow is the most occurring vulnerability in the last quarter century.
We leveraged two well-respected data sources for our research. First, our classifications of vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) database which is used today as an international standard for vulnerability numbering or identification. The database provides 25 years of information on vulnerabilities to assess, spanning 1988 to current.
Next, we used information hosted in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). We did some normalization to the data with respect to vulnerability categorization to be able to provide more complete statistics. Additional details on the methodology used for modifying the NVD data is provided at the end of the report. Two important caveats: First, not every vulnerability is assigned a CVE, so those of course aren’t counted here. Second, NVD also assigns a CVSS score of 10 when a vendor does not provide sufficient information to be able to assess the impact of the vulnerability.