Opteryx Try Opteryx →

CVE data quality explorer

Live queries against the real, current public.security.nvd_vulnerabilities and public.security.cisa_kev datasets via Opteryx OData — re-deriving the findings from "CVE is the worst vulnerability framework, except for all the others" (VulnCon, Ben Edwards & Sander Vinberg) on whatever data exists right now.

Loading…
CVEs in range
Critical + High
Actively exploited (KEV)
Avg CVSS score

Publication volume over time

weekly
The talk's "foundational plot" — exponential growth since the CNA program opened up in late 2016.

Vendor concentration

top 10 by CVE count
~60% of vendors in the talk's dataset had published exactly one CVE; a handful of vendors dominate volume.

Weakness (CWE) diversity

distinct CWEs / quarter
Distinct CWE types assigned per quarter — the talk found this exploded right at the 2016/17 CNA-program breakpoint.

Multi-CWE CVEs

share with >1 weakness assigned
The talk found ~5% of CVEs carry more than one CWE — a minor but real complication for CWE-frequency analysis.

Scored vs. unscored CVEs

share with a CVSS score assigned
A large share of older CVEs in this table were never assigned a CVSS score at all — the "ruler" isn't just changing version, it's often missing entirely.

Assigned severity vs. real-world exploitation

CISA KEV overlap
Severity mix of CVEs known to be actively exploited (CISA KEV) vs. the full population — does CVSS predict what actually gets used?