Predicting the volume of CVEs with Vuln4Cast

Friday, June 2nd, 2023

National CERT and CSIRT teams regularly need to write alerts on upcoming CVEs, and might want to know how many alerts to expect to write. Teams scanning the internet need to know how many new CVE signatures they might write. Teams creating patches or doing the patching need to consider how many patches they might apply. Equities discussions might want to know how likely they are to see a vulnerability of this type again in the near future.

All of that begins with the ability to forecast the volume of vulnerabilities produced over a time frame. These forecasts have been discussed for a long time in academic papers, but it is time to make the code available to the public to experiment with.

We believe many other important elements of defending the internet will flow from reducing the surprise element of vulnerabilities. It may not be possible to predict exactly what vulnerability will occur, but broad trends can be forecast. It is practical and useful. However we also believe it is foundational, in the sense that further defenses will build on this cornerstone of making vulnerability forecasts normal.

This code is provided not as a best solution that you should begin using immediately, but rather as a point of departure. This code proves it is possible and practical to forecast vulnerabilities, but also serves as a strawman: can your team produce better forecasts? Those forecasts can be more precise, or have better confidence intervals, or extend longer into the future. They might focus on certain aspects such as CVSS scores, or CAPEC, or even specific vendors. They might use different data sets to forecast such as JVN or CNVD.

In the coming months, we plan to create a Technical Colloquia around vulnerability forecasting and exploit prediction. Keep an eye out for the CFP, but in the meantime, play with these forecasts, use the Hurst exponent to prove to yourself it is possible, and then try to produce better forecasts.

To democratise vulnerability forecasting will be a long road, and we'd like to thank Airbus, Concinnity Risks, FIRST, and the EPSS SIG for their support on this long road. Enjoy the open source, and please contribute to the repository and spread the word: Vulnerability Forecasting is practical, useful, and easy.