CVE? Nope. NVD? Nope. Serious must-patch type flaws skipping mainstream vuln lists – report The first half of 2018 saw a record haul of reported software vulnerabilities yet a high proportion of these won’t appear in any mainstream flaw-tracking lists, researcher Risk Based Security (RBS) has claimed. According to the company’s estimate, from the beginning of the year until June 30 it recorded a total of 10,644 …
As a penetration tester for a large company, it's my job to test all applications before they are certified on our networks. This includes internally developed, as well as COTS apps.
Probably more than 60% of the time, I find vulnerabilities for the vendor to fix. Around 10-20% of the time, it's a critical vulnerability (remote and easy to do). Each time, I noticed they NEVER publish the vulnerability. They just add the fix quietly into their next "update". No mention of what we find at all.
So why don't we say something out loud? Because most software vendors/companies have items in their commercial EULA's which amounts to a non-disclosure agreement. Getting on a bulletin board, twitter, etc. will put the company you work for--and your job--in jeopardy; so unfortunately this isn't an option.
So if your a network engineer, be aware of this factor and use it to budget better security equipment to mitigate this fact. Especially with external facing web applications.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
