As of August 2024, internet users worldwide discovered around ****** new common IT security vulnerabilities and exposures (CVEs). The highest reported annual figure was recorded in 2023, over ******. Global ransomware threats In the past couple of years, ransomware has become more prominent, becoming the most frequently reported type of cyberattack worldwide in 2023. Additionally, ** percent of organizations worldwide reported experiencing one to three ransomware infections. Among researched markets, France and South Africa were impacted the most. Costly and efficient ransomware families, such as StopCrypt and LockBit, ranked first by detections globally. Additionally, the 2017 WannaCry attack still holds the record as the most impactful ransomware event, causing an estimated **** billion U.S. dollars in damages. Manufacturing and ransomware Manufacturing remains one of the most targeted industries for cyberattacks. In 2023, it was the most vulnerable sector globally to ransomware, experiencing approximately *** incidents worldwide. These attacks were especially prevalent in industrial organizations in North America. Additionally, malware and network or application anomalies were among the most common types of cyber incidents affecting manufacturing organizations.

According to a 2024 study, the average age of cyber vulnerabilities worldwide ranged from 189 to 267 days. Vulnerabilities that were identified as critical were 214.61 days old, and those with high severity were, on average, 189.86 days old. The oldest vulnerabilities were classified as low severity.

This dataset combines vulnerability data from three key sources:

NVD (National Vulnerability Database): Contains a comprehensive list of publicly known vulnerabilities, including CVE IDs, descriptions, CVSS scores (both v2 and v3), and publication dates. Data includes detailed information on attack vectors, complexity, privileges required, and impact scores.

CISA (Cybersecurity and Infrastructure Security Agency): Includes a curated list of actively exploited vulnerabilities, highlighting those requiring immediate attention. This provides crucial context for prioritizing remediation efforts.

Cyentia EPSS: Provides a numerical score (EPSS) reflecting the likelihood of a vulnerability being actively exploited in the wild.

The dataset is designed for advanced vulnerability analysis. The integrated nature of these data sources enables security professionals and researchers to build models for vulnerability prediction and risk assessment, facilitate more effective security planning, and potentially correlate vulnerability characteristics with exploit activity. The dataset is provided as a CSV file, with appropriate data types assigned to each column for optimal processing in analytical tools like Pandas.

Data is updated automatically every day.

This USGS Data Release represents geospatial and tabular data for the Gulf Coast Vulnerability Assessment Project. The data release was produced in compliance with the new 'open data' requirements as way to make the scientific products associated with USGS research efforts and publications available to the public. The dataset consists of 2 separate items: 1. Vulnerability assessment data for habitat and species based on expert opinion (Tabular datasets) 2. Vulnerability assessment values for species across subregions in study area (Vector GIS dataset)

The Heat Vulnerability Index (HVI) shows neighborhoods whose residents are more at risk for dying during and immediately following extreme heat. It uses a statistical model to summarize the most important social and environmental factors that contribute to neighborhood heat risk. The factors included in the HVI are surface temperature, green space, access to home air conditioning, and the percentage of residents who are low-income or non-Latinx Black. Differences in these risk factors across neighborhoods are rooted in past and present racism. Neighborhoods are scored from 1 (lowest risk) to 5 (highest risk) by summing the following factors and assigning them into 5 groups (quintiles): Median Household Income (American Community Survey 5 year estimate, 2016-2020) Percent vegetative cover (trees, shrubs or grass) (2017 LiDAR, NYC DOITT) Percent of population reported as Non-Hispanic Black on Census 2020 Average surface temperature Fahrenheit from ECOSSTRESS thermal imaging, August 27,2020 Percent of households reporting Air Conditioning access, Housing ad Vacancy Survey, 2017

In our work, we have designed and implemented a novel workflow with several heuristic methods to combine state-of-the-art methods related to CVE fix commits gathering. As a consequence of our improvements, we have been able to gather the largest programming language-independent real-world dataset of CVE vulnerabilities with the associated fix commits. Our dataset containing 29,203 unique CVEs coming from 7,238 unique GitHub projects is, to the best of our knowledge, by far the biggest CVE vulnerability dataset with fix commits available today. These CVEs are associated with 35,276 unique commits as sql and 39,931 patch commit files that fixed those vulnerabilities(some patch files can't be saved as sql due to several techincal reasons) Our larger dataset thus substantially improves over the current real-world vulnerability datasets and enables further progress in research on vulnerability detection and software security. We used NVD(nvd.nist.gov) and Github Secuirty advisory Database as the main sources of our pipeline.

We release to the community a 16GB PostgreSQL database that contains information on CVEs up to 2024-09-26, CWEs of each CVE, files and methods changed by each commit, and repository metadata. Additionally, patch files related to the fix commits are available as a separate package. Furthermore, we make our dataset collection tool also available to the community.

cvedataset-patches.zip file contains fix patches, and postgrescvedumper.sql.zip contains a postgtesql dump of fixes, together with several other fields such as CVEs, CWEs, repository meta-data, commit data, file changes, method changed, etc.

MoreFixes data-storage strategy is based on CVEFixes to store CVE commits fixes from open-source repositories, and uses a modified version of Porspector(part of ProjectKB from SAP) as a module to detect commit fixes of a CVE. Our full methodology is presented in the paper, with the title of "MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery", which will be published in the Promise conference (2024).

For more information about usage and sample queries, visit the Github repository: https://github.com/JafarAkhondali/Morefixes

If you are using this dataset, please be aware that the repositories that we mined contain different licenses and you are responsible to handle any licesnsing issues. This is also the similar case with CVEFixes.

This product uses the NVD API but is not endorsed or certified by the NVD.

This research was partially supported by the Dutch Research Council (NWO) under the project NWA.1215.18.008 Cyber Security by Integrated Design (C-SIDe).

To restore the dataset, you can use the docker-compose file available at the gitub repository. Dataset default credentials after restoring dump:

POSTGRES_USER=postgrescvedumper POSTGRES_DB=postgrescvedumper POSTGRES_PASSWORD=a42a18537d74c3b7e584c769152c3d

Please use this for citation:

 title={MoreFixes: A large-scale dataset of CVE fix commits mined through enhanced repository discovery},
 author={Akhoundali, Jafar and Nouri, Sajad Rahim and Rietveld, Kristian and Gadyatskaya, Olga},
 booktitle={Proceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering},
 pages={42--51},
 year={2024}
}

Households at risk of asset-based vulnerability - experimental statistics

The dataset is designed for binary classification, where the task is to predict whether a bitstream is vulnerable (TRUE) or not (FALSE) based on its configuration data (config_data). The vulnerability_type column indicates the type of vulnerability, but since it only contains one type ("Bitstream Modification"), the focus is on distinguishing between vulnerable and non-vulnerable bitstreams. The model's goal is to recognize patterns in the numerical configuration data that correlate with vulnerabilities, making this a binary classification problem.

This submission includes publicly available data extracted in its original form. Please reference the Related Publication listed here for source and citation information If you have questions about the underlying data stored here, please contact the Centers for Disease Control and Prevention and Agency for Toxic Substances and Disease Registry at svi_coordinator@cdc.gov. If you have questions about this metadata entry, please contact the CAFE team at climatecafe@bu.edu. Centers for Disease Control and Prevention/ Agency for Toxic Substances and Disease Registry/ Geospatial Research, Analysis, and Services Program. CDC/ATSDR Social Vulnerability Index [2022, 2020, 2018, 2016, 2014, 2010, and 2000] Database [U.S.]. https://www.atsdr.cdc.gov/placeandhealth/svi/data_documentation_download.html Accessed on 17 December, 2024. "The Centers for Disease Control and Prevention and Agency for Toxic Substances and Disease Registry Social Vulnerability Index (hereafter, CDC/ATSDR SVI or SVI) is a place-based index, database, and mapping application designed to identify and quantify communities experiencing social vulnerability. The Geospatial Research, Analysis & Services Program (GRASP) maintains the CDC/ATSDR SVI to help public health officials and local planners better prepare for and respond to emergency events with the goal of decreasing human suffering, economic loss, and health inequities." [Quote from https://www.atsdr.cdc.gov/place-health/php/svi/]

The Centers for Disease Control Social Vulnerability Index shows which communities are especially at risk during public health emergencies because of factors like socioeconomic status, household composition, racial composition of neighborhoods, or housing type and transportation. The CDC SVI uses 15 U.S. census variables to identify communities that may need support before, during, or after disasters. Learn more here. The condition is the overall ranking of four social theme rankings where lower values indicate high vulnerability and high values indicate low vulnerability. Quintiles for this condition were determined for all the Census tracts in King County. Quintile 1 is the most vulnerable residents, Quintile 5 is the least vulnerable residents. Data is released every 2 years following the American Community Survey release in December of the year following the Survey. The most recent data for 2018 was downloaded from the ATSDR website.

JonesEtAl_2021_Study_Locations.shp: This shapefile includes the areas of interest used in our analysis for the analyses published in Jones et al. 2021. Each area of interest is divided into numerous polygonal assessment units as described in the accompanying research article. Each polygon has attributes that include FID, Name, Number (used in our published map figure and tables), and shape area (in meters squared). US_HLScenarioMerge.shp: We apply the hydrologic landscapes (HL) concept to assess the hydrologic vulnerability of the western United States (U.S.) to projected climate conditions. Our goal is to understand the potential impacts for stakeholder-defined interests across large geographic areas. The basic assumption of the HL approach is that catchments that share similar physical and climatic characteristics are expected to have similar hydrologic characteristics. We map climate vulnerability by integrating the HL approach into a retrospective analysis of historical data to assess variability in future climate projections and hydrology, which includes temperature, precipitation, potential evapotranspiration, snow accumulation, climatic moisture, surplus water, and seasonality of water surplus. This paper illustrates how the HL approach can help assess climatic and hydrologic vulnerability across large spatial scales. By combining the HL concept and climate vulnerability analyses, we provide a planning approach that could allow resource managers to consider how future climate conditions may impact important economic and conservation resources. The data in this data set provides the Feddema Moisture Index, classified climate class, and classified season class for each time decade and 30 yr normal period from 1900-2010 and the 10 analyzed climate model projections described in the manuscript.

SQL Injection is the main source of web application critical vulnerabilities found globally in 2023, with ** percent, in addition to ** percent of internet facing critical vulnerabilities due to cross site scripting (stored) attacks.

Dataset

This dataset was created by Bowen

Released under MIT

Contents

The data set contains vulnerability discovery metric data extracted from 26 primary studies identified as part of the systematic literature review conducted. The review was conducted as part achieving our overall research vision to assist software engineers in building secure software by providing a technique that generates scientific, interpretable, and actionable feedback on security as the software evolves.

The National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.

Originally created in 2000 (called Internet - Categorization of Attacks Toolkit or ICAT), the NVD has undergone multiple iterations and improvements and will continue to do so to deliver its services. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Security’s National Cyber Security Division.

The NVD performs analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with analysis of CVEs by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time. This analysis results in association impact metrics (Common Vulnerability Scoring System - CVSS), vulnerability types (Common Weakness Enumeration - CWE), and applicability statements (Common Platform Enumeration - CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors, third party security researchers and vulnerability coordinators to provide information that is then used to assign these attributes.

This dataset represents a water shortage vulnerability analysis performed by DWR using modified PLSS sections pulled from the Well Completion Report PLSS Section Summaries. The attribute table includes water shortage vulnerability indicators and scores from an analysis done by CA Department of Water Resources, joined to modified PLSS sections. Several relevant summary statistics from the Well Completion Reports are included in this table as well. This data is from the 2024 analysis.

Water Code Division 6 Part 2.55 Section 8 Chapter 10 (Assembly Bill 1668) effectively requires California Department of Water Resources (DWR), in consultation with other agencies and an advisory group, to identify small water suppliers and “rural communities” that are at risk of drought and water shortage. Following legislation passed in 2021 and signed by Governor Gavin Newsom, the Water Code Division 6, Section 10609.50 through 10609.80 (Senate Bill 552 of 2021) effectively requires the California Department of Water Resources to update the scoring and tool periodically in partnership with the State Water Board and other state agencies. This document describes the indicators, datasets, and methods used to construct this deliverable.  This is a statewide effort to systematically and holistically consider water shortage vulnerability statewide of rural communities, focusing on domestic wells and state small water systems serving between 4 and 14 connections. The indicators and scoring methodology will be revised as better data become available and stake-holders evaluate the performance of the indicators, datasets used, and aggregation and ranking method used to aggregate and rank vulnerability scores. Additionally, the scoring system should be adaptive, meaning that our understanding of what contributes to risk and vulnerability of drought and water shortage may evolve. This understanding may especially be informed by experiences gained while navigating responses to future droughts.”

A spatial analysis was performed on the 2020 Census Block Groups, modified PLSS sections, and small water system service areas using a variety of input datasets related to drought vulnerability and water shortage risk and vulnerability. These indicator values were subsequently rescaled and summed for a final vulnerability score for the sections and small water system service areas. The 2020 Census Block Groups were joined with ACS data to represent the social vulnerability of communities, which is relevant to drought risk tolerance and resources. These three feature datasets contain the units of analysis (modified PLSS sections, block groups, small water systems service areas) with the model indicators for vulnerability in the attribute table. Model indicators are calculated for each unit of analysis according to the Vulnerability Scoring documents provided by Julia Ekstrom (Division of Regional Assistance).

All three feature classes are DWR analysis zones that are based off existing GIS datasets. The spatial data for the sections feature class is extracted from the Well Completion Reports PLSS sections to be aligned with the work and analysis that SGMA is doing. These are not true PLSS sections, but a version of the projected section lines in areas where there are gaps in PLSS. The spatial data for the Census block group feature class is downloaded from the Census. ACS (American Communities Survey) data is joined by block group, and statistics calculated by DWR have been added to the attribute table. The spatial data for the small water systems feature class was extracted from the State Water Resources Control Board (SWRCB) SABL dataset, using a definition query to filter for active water systems with 3000 connections or less. None of these datasets are intended to be the authoritative datasets for representing PLSS sections, Census block groups, or water service areas. The spatial data of these feature classes is used as units of analysis for the spatial analysis performed by DWR.

These datasets are intended to be authoritative datasets of the scoring tools required from DWR according to Senate Bill 552. Please refer to the Drought and Water Shortage Vulnerability Scoring: California's Domestic Wells and State Smalls Systems documentation for more information on indicators and scoring. These estimated indicator scores may sometimes be calculated in several different ways, or may have been calculated from data that has since be updated. Counts of domestic wells may be calculated in different ways. In order to align with DWR SGMO's (State Groundwater Management Office) California Groundwater Live dashboards, domestic wells were calculated using the same query. This includes all domestic wells in the Well Completion Reports dataset that are completed after 12/31/1976, and have a 'RecordType' of 'WellCompletion/New/Production or Monitoring/NA'.

Please refer to the Well Completion Reports metadata for more information. The associated data are considered DWR enterprise GIS data, which meet all appropriate requirements of the DWR Spatial Data Standards, specifically the DWR Spatial Data Standard version 3.4, dated September 14, 2022. DWR makes no warranties or guarantees — either expressed or implied— as to the completeness, accuracy, or correctness of the data.

DWR neither accepts nor assumes liability arising from or for any incorrect, incomplete, or misleading subject data. Comments, problems, improvements, updates, or suggestions should be forwarded to GIS@water.ca.gov.

The Vulnerability Management Services market is an integral part of the cybersecurity landscape, addressing the pressing need for organizations to identify, assess, and remediate security vulnerabilities in their systems and applications. As cyber threats become more sophisticated, the demand for effective vulnerabi

Security automation reference data is currently housed within the National Vulnerability Database (NVD). The NVD is the U.S. Government repository of security automation data based on security automation specifications. This data provides a standards-based foundation for the automation of software asset, vulnerability, and security configuration management; security measurement; and compliance activities. This data supports security automation efforts based on the Security Content Automation Protocols (SCAP). The NVD includes databases of security configuration checklists for the NCP, listings of publicly known software flaws, product names, and impact metrics. A formal validation program tests the ability of vendor products to use some forms of security automation data based on a product's conformance in support of specific enterprise capabilities.

CISA Known Vulnerabilities and Exploits Catalogue

CVE-IDs with NVD Data, EPSS Scores, and In-The-Wild Tracker

How to use the dataset

The columns in the dataset are as follows:

vendor_project: The vendor and project name. (String) product: The product name. (String) vulnerability_name: The name of the vulnerability. (String) date_added: The date the vulnerability was added to the dataset. (Date) short_description: A short description of the vulnerability. (String) required_action: The required action for the vulnerability. (String) due_date: The due date for the required action. (Date) notes: Notes about the vulnerability. (String) grp: pub_date cvss, cwe vector complexity severity

Research Ideas

• Find potential security vulnerabilities in a product or system
• Track the progress of actions taken to mitigate CVEs
• Alert users when new CVEs are discovered that affect their systems

Columns

File: 2022-06-08-enriched.csv | Column name | Description | |:-----------------------|:------------------------------------------------------------| | vendor_project | The vendor and project name. (String) | | product | The product name. (String) | | vulnerability_name | The name of the vulnerability. (String) | | date_added | The date the vulnerability was added to the dataset. (Date) | | short_description | A short description of the vulnerability. (String) | | required_action | The required action for the vulnerability. (String) | | due_date | The due date for the required action. (Date) | | notes | Notes about the vulnerability. (String) | | grp | The group the vulnerability is in. (String) | | pub_date | The date the vulnerability was published. (Date) | | cvss | The CVSS score for the vulnerability. (Float) | | cwe | The CWE for the vulnerability. (String) | | vector | The vector for the vulnerability. (String) | | complexity | The complexity for the vulnerability. (String) | | severity | The severity for the vulnerability. (String) |

File: 2022-06-09-enriched.csv | Column name | Description | |:-----------------------|:------------------------------------------------------------| | vendor_project | The vendor and project name. (String) | | product | The product name. (String) | | vulnerability_name | The name of the vulnerability. (String) | | date_added | The date the vulnerability was added to the dataset. (Date) | | short_description | A short description of the vulnerability. (String) | | required_action | The required action for the vulnerability. (String) | | due_date | The due date for the required action. (Date) | | notes | Notes about the vulnerability. (String) | | grp | The group the vulnerability is in. (String) | | pub_date | The date the vulnerability was published. (Date) | | cvss | The CVSS score for the vulnerability. (Float) | | cwe | The CWE for the vulnerability. (String) | | vector | The vector for the vulnerability. (String) | | complexity | The complexity for the vulnerability. (String) | | severity | The severity for the vulnerability. (String) |

File: 2022-06-27-enriched.csv | Column name | Description | |:-----------------------|:------------------------------------------------------------| | vendor_project | The vendor and project name. (String) | | product | The product name. (String) | | vulnerability_name | The name of the vulnerability. (String) | | date_added | The date the vulnerability was added to the dataset. (Date) | | short_description | A short description of the vulnerability. (String) | | required_action | The required action for the vulnerability. (String) | | due_date | The due date for the required action. (Date) ...