I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration.

I do so because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanning tools. To address this problem, I have made some recommendations on how to evaluate and prioritize such findings.

With that said, sometimes people challenge my assertion about exploitability (some even implying I am insane for holding this position) or, more subtly, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below.

• Rezilion: “85% of Vulnerabilities Pose No Risk.”

• Dark Reading: “Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say.”

• Contrast Security: “Study Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code.”

• Mend: “research shows that only 15% to 30% of vulnerabilities are indeed effective.”

• Kenna Security: “Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.”

• Forum of Incident Response and Security Teams: “2%-7% of published vulnerabilities are ever seen to be exploited in the wild.”

• Tenable: “more than 75% of all vulnerabilities with a [CVSS] score of 7 or above have never had an exploit published against them.”

Please let me know if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure).