Vendor-Specific Vulnerability Analysis: A 26-Year Study of CVE Distribution Patterns
摘要
Vulnerabilities in systems represent weaknesses that can be exploited to cause significant damage, making their effective management crucial for organizational survival. As cyber threats continue to evolve, understanding and addressing these vulnerabilities is essential to protect against financial losses, operational disruptions, and reputational damage. In this paper, we conduct a 26-year CVE distribution pattern analysis of Common Vulnerabilities and Exposures (CVE), focusing on vulnerabilities from a vendor-specific perspective using Common Platform Enumeration (CPE) data. We analyze the evolution of vulnerabilities, highlighting the vendors most frequently associated with reported security issues. The findings reveal a vulnerability landscape dominated by Microsoft, Google, Apple, Oracle, and Debian, with Microsoft holding 21.1% of reported CVEs. Microsoft and Google show the highest risk profiles with many high and critical severity vulnerabilities, while Apple, Oracle, and Debian have more varied severity levels. Temporal analysis links major increases in disclosures to key product releases like Microsoft’s Windows Vista/7, Google’s Android and Chrome, and Apple’s iPhone and iPad. By mapping vulnerabilities back to their platform origins via CPE, our work enables security teams to tailor patch management and risk prioritization strategies to vendor-specific patterns.