While conducting my review of all CVEs published in 2024 (coming soon!) I noticed an interesting trend: years where CVEs fell compared to prior year correlated to poor economic conditions. in the US This article will attempt to describe the connection between the two data points.
TL;DR — Corporate spending on Cybersecurity often is tied to economic outlook. Higher spend in Cybersecurity generally results in more vulnerabilities (CVEs) published per year. A decrease of >0.4% is an exception and aligns with high unemployment rates.
For the purposes of this discussion we will be using the Reserved CVE ID totals per year found <here>. This number is the true denominator of what each CNA has been sent each year. A CVE can be in a “Reserved” state, “Published”, or “Rejected” state. Whether a CVE is Published or Rejected is less important than someone submitting for the CVE in the first place, because it indicates that work was completed by a researcher.
The below graph identifies the CVEs Reserved per year (blue line) (not CVEs assigned apologies for the graph mislabeling) and the red lines indicate years where the number of CVEs Reserved declined from the previous year.
In 2024, the number of CVEs Reserved fell 6.92% <here>, this is after a large round of tech impacting 264k people in 2023 and over 151K people in 2024 <here>. This one seems obvious and easy to explain from a high level “tech employees were laid off so there was less code to test and less cyber employees to identify vulnerabilities”.
Continuing our look back, 2024 was the first year of a decline since 2021 (7.09%, 28,506 vs 30,680) which occurred during the COVID economic crisis where the unemployment rate hit a peak of 14.8% in April 2020; hovering above 6% for the first half of the year and settling around 5.3% for the full year <here> .
Prior to 2021, the last drop was in 2010 (12%, 6,094 to 5,379) where unemployment maintained a level at over 9% well into 2011 <here>. Before 2010 there was the largest recorded drop in 2008 (22%, 7,607 to 5,968) which happened during the Great Recession highs of 10% unemployment.
Side note: since the CVE program was in infancy during 1999-2001 there are no strong correlations related to the Dotcom Bubble and CVEs published unfortunately. .
I’m curious if these correlations in your opinion are strongly linked or just coincidental? CVEs are generally published at a higher rate going into the last months (Oct/Nov/Dec) of the year to ensure a publication before the end of the calendar year.
Would a drop in the rate of published CVEs during the year be a strong signal of upcoming unemployment or economic downturns? Or similar to 2023 and 2024, a reactive signal that tech itself is going through layoffs? Let me know your thoughts in the comments below!