The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to systematically capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and complexity of the associated exploit or attack. Standardisation in the description of vulnerabilities contributes not only to effective threat intelligence sharing, but also potentially efficient threat management, provided that organisations, vendors and security researchers actively seek to discover the vulnerabilities and respond in a timely fashion. As the standardisation of cataloguing and modelling the vulnerabilities reaches the aforementioned maturity, public or private (i.e. commercial) databases containing information of the actual vulnerabilities (and some with their exploits counterparts) have emerged. As there are a number of initiatives within the research community, quite naturally some databases could be considered to be more "authoritative" and/or "reliable" than others. However, due to the nature of the vulnerability ecosystem, it is not a reasonable assumption that the databases will be complete (that is, contain all vulnerabilities), or reliable in the sense that the information captured is correct, in the sense that the samples gathered can be considered to reliably help in drawing conclusions on the whole population. This is influenced by a number of factors, including the quality of analysis and assessment, the assessment framework itself, the economic aspects (such as the value of any available exploit), as well as the business models of the software vendors, threat intelligence services, and the overall security community. The purpose of this report is to provide an insight on both the opportunities and limitations the vulnerability ecosystem offers. By using the vulnerabilities published during the year of 2018 and Q1-Q2 of 2019 as a vehicle, this report goes beyond the standard exploratory analysis, which is well captured by many industry whitepapers and reports, and attempts to answer questions related to the reliability, accuracy of the vulnerability sources and the widely accepted evaluation metrics. In addition, the report leverages established vulnerability taxonomies and frameworks to explore and identify more intrinsic relationships and characteristics. Vulnerabilities are explored in terms of the ATT&CK taxonomy, revealing non-uniform distribution in the defined tactics: 1. Differences, inconsistencies and discrepancies between the two major versions of the scoring systems (CVSS2 version 2 and version 3) may influence risk management actions; 2. Vulnerabilities showing affinity to specific industry sectors, form strong clusters; and of course the 3. Position and performance of vendors and products which varies depending on the type of software. This report is also accompanied by the underlying dataset and software developed (in Jupyter3/Python). These are made publicly available to enable further and independent exploration and analysis of the vulnerability domain by the information security community as well as allow researchers to appreciate the degree of intractability surrounding empirical analysis of vulnerabilities.
