Security’s blind spot: the problem with taking CVE scores at face value

The modern software supply chain is operating under unprecedented pressure as new vulnerabilities emerge at a record pace. In 2024 alone, more than 33,000 new Common Vulnerabilities and Exposures (CVEs) have been reported – a record figure pushing security teams and developers to triage vulnerabilities at scale while trying to stay focused on their core vulnerabilities.

Yet, despite the high number of CVEs labelled “critical”, a closer look reveals that many of these threats aren’t nearly as severe in practice. In fact, recent research found that just 12% of these CVEs were flagged as “critical” by official sources truly warranted that designation.

This disconnect highlights a growing challenge for the cybersecurity industry. Although established CVE scoring systems like MITRE offer a useful baseline, they often fail to account for the unique context of each organization's environment. As a result, teams risk focusing on theoretical risks while genuine threats ...