Methodology for Skybox Vulnerability Index and Skybox Vulnerability Database

For more than a decade, Skybox Security has been at the forefront of today's vulnerability intelligence research. Through research and next-generation technology, Skybox provides IT security professionals with the visibility into their attack surface and exploitable attack vectors, so they can take more precise and timely actions to eliminate high-risk vulnerabilities and business exposures.

Skybox Vulnerability Database
As a risk analytics company, Skybox Security focuses research on vulnerabilities that create a security risk management challenge for enterprise-class networks. The Skybox Vulnerability Database consolidates vulnerability data for more than 1,000 products that are used extensively in enterprise network environments, including servers and desktop operating systems, business and desktop applications, databases, runtime frameworks, networking hardware and software, security software, and more. This data selection is tailored to Skybox Security's enterprise customers, adjusting the products and their corresponding vulnerabilities to the most relevant for a large enterprise network.

Skybox Vulnerability Database currently supports more than 48,000 vulnerabilities. The database is a result of information collected from leading public and private security data sources and built as a superset of vulnerabilities. As a state-of-the-art vulnerability database, it is CVE compliant and implements CVSS v2 standards.

Skybox Vulnerability Index
The charts on the main page of the Vulnerability Center show the Skybox Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities.

The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window.  The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation.  The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk.

Vulnerability severity is used as a weighting factor, so 10 new critical vulnerabilities would influence the Vulnerability Index more than 10 new low or medium severity vulnerabilities.  All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.

Skybox Research Lab
Skybox Security has a dedicated team, the Skybox Research Lab, who aggregate a superset of vulnerabilities from leading public and private security data sources. The Skybox Research Lab manually analyzes each vulnerability entry from multiple databases to ensure accuracy, and add information needed for the risk analytics engines used by our products. This manual analysis often reveals inconsistencies between data sources, or additional information that needs to be considered to ensure a more accurate severity ranking, list of affected products, or vendor solutions for each vulnerability.

Data Sources
The Skybox Research Labs team updates the Skybox Vulnerability Database continuously, correlating the information from more than 25 sources: 

  • National Vulnerability Database (NVD)
  • Vendor threat advisories
  • Vulnerability scanners mapping
  • Threat management feeds for worm, malware, and viruses
  • Catalogs of intrusion prevention signatures from IPS vendors (e.g. Sourcefire, Palo Alto Networks, IBM Proventia, HP TippingPoint, and more)
Advisories Scanners IPS Other Sources
Adobe eEye Retina * Fortinet FortiGate CERT
Cisco PSIRT ISS Internet Scanner * HP Tipping Point Mitre CVE
Microsoft Security Bulletin McAfee Foundstone ISS Proventia NIST's NVD
Oracle Qualys Guard McAfee IPS OSVDB
RedHat Rapid7 Nexpose Palo Alto Networks Rapid 7 Metasploit
  Tenable Nessus Sourcefire Secunia
  Tripwire nCircle   Symantec SecurityFocus
      Symantec Worms

* Scanners supported as cross-references with CVE ID

Skybox uses the CVE number to cross-reference among the various sources.  In addition, our database contains vulnerabilities that do not have a CVE reference, such as vulnerabilities that really represent two different risk scenarios on different systems or network configurations.

Skybox catalogs records by the first 'reporting date' assigned to a vulnerability from any source.  Sometimes, a new vulnerability is added that has an older reporting date, so the historical list is updated with more recent information.

The severity rating is based on Skybox Security's risk modeling (CVSS V2 compliant) which takes various parameters into account. Critical vulnerabilities are those that get CVSS Base score 9 or higher.  These are typically remote code execution or memory corruption vulnerabilities, which means the attacker can get full control over the affected machine, as opposed to other effects like DoS which are usually considered less severe.