The talk's "foundational plot" — exponential growth since the CNA program opened up in late 2016.
~60% of vendors in the talk's dataset had published exactly one CVE; a handful of vendors dominate volume.
Distinct CWE types assigned per quarter — the talk found this exploded right at the 2016/17 CNA-program breakpoint.
The talk found ~5% of CVEs carry more than one CWE — a minor but real complication for CWE-frequency analysis.
A large share of older CVEs in this table were never assigned a CVSS score at all — the "ruler" isn't just changing version, it's often missing entirely.
Severity mix of CVEs known to be actively exploited (CISA KEV) vs. the full population — does CVSS predict what actually gets used?