Beyond CVEs: Untracked Vulnerabilities in Public Issue Trackers
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Software vulnerabilities - particularly in open-source software (OSS) components, which are now embedded in nearly every application - pose major security and privacy risks. Existing tools and research focus largely on vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) system, leaving those without CVE identifiers often overlooked. In this study, we aim to estimate the number of such CVE-less vulnerabilities in OSS projects by systematically analyzing project issue trackers to identify security-related reports that could qualify as CVEs. We use an AI-human collaborative approach, combining AI-based issue pre-filtering with expert validation to efficiently and accurately estimate the prevalence of these overlooked vulnerabilities.
We closely examined four large C++ projects and found that approximately 1.55% of all reported issues were classified by our model as security-related. Expert validation performed by the CVE Numbering Authority (CNA) Administrator on the gRPC project revealed that about 22% of these predicted security-related issues correspond to real, previously untracked vulnerabilities. This number is nearly five times greater than the total number of CVEs listed for this project in the National Vulnerability Database (NVD). These results reveal a gap in today's vulnerability disclosure ecosystem: many vulnerabilities are publicly disclosed in issue trackers yet never formally communicated through the CVE program, leaving them largely unexplored and potentially unaddressed.
help_outline