# But is it exploitable? By [Deploying Securely](https://paragraph.com/@haydock) · 2022-09-04 --- I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are _not_ exploitable in any given configuration. I do so because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanning tools. To address this problem, I have [made](https://haydock.substack.com/p/cve-exploitability-how-to-communicate) some recommendations on how to evaluate and prioritize such findings. With that said, sometimes people challenge my assertion about exploitability (some even implying I am [insane](https://www.linkedin.com/feed/update/urn:li:activity:6941091748928503808/?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6941091748928503808%2C6941115157615955968%29&replyUrn=urn%3Ali%3Acomment%3A%28activity%3A6941091748928503808%2C6941132564673830912%29) for holding this position) or, more subtly, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below. * Rezilion: “[85% of Vulnerabilities Pose No Risk](https://www.rezilion.com/blog/rezilion-researchers-find-85-of-vulnerabilities-pose-no-risk/).” * Dark Reading: “[Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say](https://www.darkreading.com/application-security/open-source-software-bugs--attackability).” * Contrast Security: “[Study Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code](https://www.contrastsecurity.com/security-influencers/2021-state-of-open-source-security-report-findings).” * Mend: “[research shows that only 15% to 30% of vulnerabilities are indeed effective.](https://www.mend.io/prioritize/)” * Kenna Security: “[Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.](https://website.kennasecurity.com/wp-content/uploads/2020/09/Kenna_Prioritization_to_Prediction_Vol_5.pdf)” * Forum of Incident Response and Security Teams: “[2%-7% of published vulnerabilities are ever seen to be exploited in the wild.](https://www.first.org/epss/model)” * Tenable: “[more than 75% of all vulnerabilities with a \[CVSS\] score of 7 or above have never had an exploit published against them](https://www.tenable.com/blog/why-you-need-to-stop-using-cvss-for-vulnerability-prioritization).” Please let me know if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure). --- *Originally published on [Deploying Securely](https://paragraph.com/@haydock/but-is-it-exploitable)*