[dfox]

There have been more CVEs for the last 5 or so years. The reason is that "number of CVEs" is used in InfoSec community as kind of performance metric, so the "researchers" are incentivized to report total non-sense as security vulnerabilities. Second reason is that the whole "InfoSec" thing is viewed as an career choice where there is shitload of money to be made, which caused many people with questionable skills and ethics to become "security researchers".

[ethbr1]

On the other hand, scanners do flag CVEs (and therefore regulatory patch requirements are triggered by them).

So at the end of the day, it does apply patch pressure to regulated companies.

[dfox]

Autogenerated security audits that flag totally irellevant CVEs are another symptom of the same problem. Such scans usually only compare the version of the package in question, which breaks badly when distributions backport security patches and leads to complete irrelevant results when the "vulnerability" in question pertain to configuration that is not used (good example of that are CVEs for the mail-proxy component of nginx, which I assume most people do not even know exists, yet alone deploy). In the end the main effect is that if there was some real security issue, it would get buried deep in all that pointless busy-work that InfoSec comunity generates for everybody else.

[ethbr1]

100% granted: the avalanche of CVEs is a serious problem.

Which is why the scanner companies are actually providing a "tell me what I need to care about" service.

In general, it does feel like we're groping (blindly) towards a healthier future.