[This was originally published on RiskBasedSecurity.com in the 2018 Vulnerability Mid-year Report.]
As stated earlier in this report, “incomplete information, constant updates and revisions, misinterpretation, and errors in reporting can all contribute to a level of confusion regarding the impact, severity and risk a vulnerability represents.” One way that this manifest is in vulnerability reports that disclose what isn’t really a vulnerability. Due to not properly understanding the issue, or overlooking some aspect that already mitigates it, the researcher claims a program is vulnerable when it isn’t. RBS flags these issues as “not a vulnerability” or ‘NAV’ for short.
As a vulnerability database, it may seem counterintuitive to track issues that are not a vulnerability. We would prefer not to! However, there are times where the disclosure is not challenged and persists, leaving the bad information available to the public. This could cause an organization that runs across such an issue to waste time trying to determine if they are vulnerable or implement a workaround when it isn’t needed. In those cases, it is better to include such issues but accurately describe the issue and clearly say that it is not a vulnerability.
Generally, RBS policy is to ignore such a disclosure if it is made in one or two places and doesn’t garner much attention. However, when that non-vulnerability is added to another database e.g. CVE, it becomes important for us to cover it properly. This allows our customers to have timely and accurate information about vulnerabilities and non-vulnerabilities, to help better protect their organizations.
To better understand how often this happens, the following graph shows the number of ‘NAV’ disclosures at the mid-point of each year since 2014, up until the midpoint of 2018. While 2018 currently appears to be less than the two prior years at their midpoints, it still represents a significant number of disclosures that RBS has evaluated and disclaimed as vulnerabilities in order to continue providing the highest quality vulnerability intelligence possible.