2019 Open Source Vulnerabilities Rise: Delays in Reporting Risks

Total vulnerabilities in OSS more than doubled in 2019 - suggesting that while open-source code is often considered more secure than commercial software, OSS vulnerabilities are on the rise and may be a blindspot for many organizations.

The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious application security risks for almost two months.

These very long lags were seen across all severities including vulnerabilities rated as ‘Critical’ and those that were weaponized, meaning those where an exploit is present in the wild.