# But is it exploitable? **Published by:** [Deploying Securely](https://paragraph.com/@haydock/) **Published on:** 2022-09-04 **URL:** https://paragraph.com/@haydock/but-is-it-exploitable ## Content I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration. I do so because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanning tools. To address this problem, I have made some recommendations on how to evaluate and prioritize such findings. With that said, sometimes people challenge my assertion about exploitability (some even implying I am insane for holding this position) or, more subtly, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below.Rezilion: “85% of Vulnerabilities Pose No Risk.”Dark Reading: “Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say.”Contrast Security: “Study Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code.”Mend: “research shows that only 15% to 30% of vulnerabilities are indeed effective.”Kenna Security: “Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.”Forum of Incident Response and Security Teams: “2%-7% of published vulnerabilities are ever seen to be exploited in the wild.”Tenable: “more than 75% of all vulnerabilities with a [CVSS] score of 7 or above have never had an exploit published against them.”Please let me know if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure). ## Publication Information - [Deploying Securely](https://paragraph.com/@haydock/): Publication homepage - [All Posts](https://paragraph.com/@haydock/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@haydock): Subscribe to updates - [Twitter](https://twitter.com/Walter_Haydock): Follow on Twitter