[0xDEAFBEAD]

Can anyone recommend a solid website which aggregates CVE data in order to generate security scores for companies, platforms, open source projects, etc.? I know CVE data has a lot of problems, but I still suspect that this would be more objectively accurate than making security decisions based on gut feel.

[dcsommer]

I don't know of one, and making this judgement based on CVE data alone will not answer your question. Factors ignored include codebase size, customer count, internal CVE filing standards/criteria, etc.

The only signal I would conclude from CVE data by itself, is that I bias towards a preference for companies that regularly publish CVEs. The ones that don't publish CVEs regularly are hiding, ignorant, or actually secure (and the first two are more likely).

You can't look at CVE in isolation.

[MattPalmer1086]

Aggregating cve data is probably not a useful signal. Products with more cves are not necessarily less secure than ones with fewer ones.

Possibly if a product consistently has high cves over a long period of time that might tell you something about poor security practices over that period (or before it). It might also mean that their security is now quite good!

You have to interpret the data I'm afraid. I can't think of any useful statistical measures you could use to compare aggregate data across multiple products.

[pelasaco]

https://www.cvedetails.com/ ?