CERT
 
Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities
 

Full Statistics

The following is a complete report of all of the statistics CERT has available.

Vulnerability Remediation | Historical Statistics

Vulnerability Remediation Statistics

Vulnerability remediation is one of the primary areas of work at the CERT® Coordination Center (CERT/CC). The CERT/CC strives to both reduce the number of vulnerabilities introduced into software and reduce the risk posed by existing vulnerabilities. Our standard remediation process includes collecting reports of vulnerabilities, performing technical analysis, coordinating with affected vendors, and establishing a reasonable timeframe for disclosing information about the vulnerability.

Cataloged vulnerabilities

  • Q1, 2008
  • 1,474
  • 52
  • 2007
  • 7,236
  • 357
  • 2006
  • 8,064
  • 345
  • 2005
  • 5,990
  • 213
  • 2004
  • 3,780
  • 170
  • 2003
  • 3,784
  • 191
  • 2002
  • 4,129
  • 343
  • 2001
  • 2,437
  • 153
  • 2000
  • 1,090
  • -
  • 1999
  • 417
  • -
  • 1998
  • 262
  • -
  • 1997
  • 311
  • -
  • 1996
  • 345
  • -
  • 1995
  • 171
  • -
  • Totals
  • 39,490
  •  



Publications about vulnerabilities

  • Q1, 2008
  • 64
  • 12
  • 9
  • 2007
  • 366
  • 42
  • 31
  • 2006
  • 422
  • 39
  • 37
  • 2005
  • 285
  • 22
  • 11
  • 2004
  • 341
  • 27
  • 17
  • 2003
  • 255
  • -
  • -
  • 2002
  • 375
  • -
  • -
  • 2001
  • 326
  • -
  • -
  • 2000
  • 47
  • -
  • -
  • 1999
  • 3
  • -
  • -
  • 1998
  • 8
  • -
  • -
  • Totals
  • 2,492
  • 142
  • 105


Note: Rows in italic indicate documents published on behalf of US-CERT.


Column Definitions

  • Year - This column represents the calendar year, not fiscal year.

  • Total vulnerabilities cataloged - This column reflects the total number of vulnerabilities that we have cataloged based on reports from public sources and those submitted to us directly. Storing the information in our database allows our analysts to systematically record vulnerability data; helps provide insight into significant preconditions, impacts, and scope; and gives us a way to validate reports and recognize new classes of vulnerabilities.

  • From direct reports - This column reflects the total number of vulnerabilities we have cataloged based on vulnerabilities reported directly to us. We encourage people to report vulnerabilities so we can coordinate with affected vendors to resolve vulnerabilities while minimizing the risk to all stakeholders. To determine an approximate number of vulnerabilities from public sources, subtract the number of direct reports from the total vulnerabilities cataloged. The actual number may differ slightly because occasionally, vulnerabilities are reported directly to us and disclosed to the public at the same time.

  • Vulnerability Notes published - This column reflects the number of Vulnerability Notes we have published. These documents provide technical information and solutions to vulnerabilities that we have analyzed. Although we cannot publish information about every vulnerability, we make a concerted effort to publish information about the most critical and significant vulnerabilities. As of 2004, we publish these documents on behalf of US-CERT.

  • Technical Security Alerts published - This column reflects the number of Technical Security Alerts we have published in conjunction with US-CERT. These documents provide timely information about current security issues, vulnerabilities, and exploits.

  • Security Alerts published - This column reflects the number of Security Alerts we have published in conjunction with US-CERT. These documents provide timely information about current security issues, vulnerabilities, and exploits. They outline the steps and actions that non-technical home and corporate computer users can take to protect themselves from attack.

Vulnerability remediation statistics last updated April 14, 2008

Back to top of vulnerability remediation section

Historical Statistics

While continuing to publish certain statistics, others have been deprecated. This may be because the work is no longer being performed or because the statistic no longer provides a clear representation of work. The statistics below are for historical reference only; they are no longer being maintained.

Communications

  • 2006
  • 674,235
  • 977
  • -
  • 2005
  • 624,634
  • 591
  • -
  • 2004
  • 717,863
  • 795
  • -
  • 2003
  • 542,754
  • 934
  • 137,529
  • 2002
  • 204,841
  • 880
  • 82,094
  • 2001
  • 118,907
  • 1,417
  • 52,658
  • 2000
  • 56,365
  • 1,280
  • 21,756
  • 1999
  • 34,612
  • 2,099
  • 9,859
  • 1998
  • 41,871
  • 1,001
  • 3,734
  • 1997
  • 39,626
  • 1,058
  • 2,134
  • 1996
  • 31,268
  • 2,062
  • 2,573
  • 1995
  • 32,084
  • 3,428
  • 2,412
  • 1994
  • 29,580
  • 3,665
  • 2,340
  • 1993
  • 21,267
  • 2,282
  • 1,334
  • 1992
  • 14,463
  • 1,995
  • 773
  • 1991
  • 9,629
  • -
  • 406
  • 1990
  • 4,448
  • -
  • 252
  • 1989
  • 2,869
  • -
  • 132
  • 1988
  • 539
  • -
  • 6
  • Totals
  • 3,201,855
  • 24,464
  • 319,992



Publications

  • 2004
  • 2
  • 2
  • -
  • -
  • 2003
  • 28
  • 4
  • -
  • 4
  • 2002
  • 37
  • 6
  • -
  • 4
  • 2001
  • 37
  • 15
  • -
  • 4
  • 2000
  • 22
  • 10
  • -
  • 4
  • 1999
  • 17
  • 8
  • -
  • 5
  • 1998
  • 13
  • 7
  • 13
  • 8
  • 1997
  • 28
  • -
  • 16
  • 6
  • 1996
  • 27
  • -
  • 20
  • 6
  • 1995
  • 18
  • -
  • 10
  • 3
  • 1994
  • 15
  • -
  • 2
  • -
  • 1993
  • 19
  • -
  • -
  • -
  • 1992
  • 21
  • -
  • -
  • -
  • 1991
  • 23
  • -
  • -
  • -
  • 1990
  • 12
  • -
  • -
  • -
  • 1989
  • 7
  • -
  • -
  • -
  • 1988
  • 1
  • -
  • -
  • -
  • Totals
  • 327
  • 52
  • 61
  • 44



Column Definitions

  • Year - This column represents the calendar year, not fiscal year.

  • Mail messages processed - We continue to process all mail sent to us, but due to the increase in spam, viruses, and other unsolicited mail that we receive, we believe this statistic no longer provides meaningful information. As a result, we stopped providing the statistic at the end of 2006.

  • Hotline calls received - This statistic refers to the number of hotline calls we received per year. Given the variety of calls we receive on a wide range of computer security issues, it would be difficult to draw any type of conclusion based on this number, so 2006 marked the final year for this statistic.

  • Incident reports received - Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks. Therefore, we stopped providing this statistic at the end of 2003.

  • Advisories published - CERT Advisories provided timely information about current security issues, vulnerabilities, and exploits. Beginning in 2004, CERT Advisories became a core component of US-CERT's Technical Cyber Security Alerts.

  • Incident Notes published - CERT Incident Notes provided information about incidents to the Internet community. Since 2004, this information has been incorporated into US-CERT's Technical Cyber Security Alerts and Current Activity.

  • Vendor Bulletins published - Vendor Bulletins were intended to facilitate the coordinated distribution of information written by vendors about security problems and solutions. The bulletins were discontinued in 1998.

  • Summaries published - CERT Summaries were published each quarter to draw attention to the types of attacks reported to our incident response team during the previous three months, as well as other noteworthy incident and vulnerability information. Summaries were discontinued at the end of 2003.

Historical statistics last updated April 30, 2007

Back to top of historical section

To top of page