By Éireann Leverett and Mara M. Fernández Bermúdez Tuesday, April 8, 2025
As is traditional, we like to review how we did last quarter, before we give this quarter’s prediction. We do this for two reasons:
So we study our errors and improve.
To build your confidence in our approach to forecasting.
For Q1 2025 had a mean prediction of 11420 CVEs, but we had 12035 published at the US NVD. We’re obviously a little light in the mean but comfortably within confidence intervals 10266-12575 (95%).
By the end of the day on the 30th of June we forecast a mean of 11663 new CVEs published by NVD, or if you prefer between 10477 and 12848 will be published. We can see even in the week it took to write this blog we already have 1378 published.
As we can see last year was a bit out of character from previous years because of the disruption to budgets and schedules with the NVD. We had to do some extra work to minimise the effects of last year on the model output for this quarter, and as you can see it still is reflected in the variation of the quarters. These assumptions are what makes the modelling a little trickier than just running code, and that’s why we have expanded the forecasting team to include more people.
Both in the past year and this year, we are seeing a number of problems related to NVD's maintenance of the database content. This is not to criticise the good folks there doing great work, but rather the highlight the challenges of maintaining this content.
Some of the problems they have encountered:
Publication delays: They are well known the management problems identified in 2024 but even more, on 19th March, NVD published a post in his blog in which it stated:
Recognition the problems that they have for the processing of the CVEs in a efficient and constant rhythm, taking in consideration the increasing of the requests in 32% in 2024.
As a consequence of the above, the processing rate that had already recovered in 2024 isn’t enough to keep up to date the incoming requests, which is causing a delay in publications.
Periods of pause and reactivation of the DB content management.
Errors in the publication dates that are later corrected (this fact in particular was highlighted in the blog entry related to the 2024-year review).
One thing our team would like to highlight, that NVD’s problems last year are going to become everyone’s problems in the years to come. In other words, everyone has a backlog of things to patch and triage not just NVD. While these forecasts are fast and simple to produce, we publish them so we can talk about the important things: how do we triage, process, and prioritise vulnerabilities faster and better?
Welcome Mara and Angelo, to the forecasting team, we hope to see more from you in this year’s blogs about how these forecasts are being used in business to change the way we do security, privacy, and incident response work.
If you are interested in FIRST forecasting from other databases like the JVN or the CNNVD or Trend Micro’s ZDI, do please get in touch and we’ll see what we can do. We’re also working to flesh out the forecasts we already do with more information or make them more usable for your business cases.
If you’re deeply interested in these topics, join the Vulnerability Forecasting Technical Colloquia in Cambridge this September!
FIRST runs a blog open to members and invited guest authors. It publishes contributions relevant to incident responders. Articles should focus on general topics interesting to members. It will not be used to promote individual organisations, products or services. If you are interested in contributing, please get in touch with first-blog@first.org.
Learn more about the Forum of Incident Response and Security Teams through regular blog posts about our organization, events and other programs. Questions or comments? Contact first-press@first.org.
