Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 38 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Microsoft | 2834 | 786 |
56 CRITICAL
496 HIGH
212 MEDIUM
16 LOW
|
1 | 30 | 0.4% | 96% | +387 |
| 2 | WordPress | 1969 | 605 |
43 CRITICAL
204 HIGH
353 MEDIUM
5 LOW
|
0 | 88 | 0.3% | 13% | +187 |
| 3 | 1828 | 662 |
78 CRITICAL
240 HIGH
322 MEDIUM
19 LOW
|
0 | 11 | 0.2% | 94% | -125 | |
| 4 | Oracle | 1804 | 272 |
125 CRITICAL
111 HIGH
25 MEDIUM
10 LOW
|
1 | 5 | 0.4% | 10% | +223 |
| 5 | Suse | 1650 | 638 |
75 CRITICAL
209 HIGH
354 MEDIUM
|
0 | 8 | 0.2% | 97% | -277 |
| 6 | Linux | 1092 | 469 |
36 CRITICAL
179 HIGH
155 MEDIUM
6 LOW
|
0 | 2 | 0.2% | 95% | -69 |
| 7 | Apache | 638 | 147 |
37 CRITICAL
59 HIGH
42 MEDIUM
9 LOW
|
0 | 4 | 0.3% | 67% | +16 |
| 8 | Red Hat | 518 | 210 |
13 CRITICAL
87 HIGH
109 MEDIUM
|
0 | 5 | 0.3% | 81% | -665 |
| 9 | IBM | 310 | 69 |
25 CRITICAL
15 HIGH
27 MEDIUM
|
0 | 0 | 0.3% | 68% | +5 |
| 10 | Apple | 268 | 124 |
8 CRITICAL
35 HIGH
79 MEDIUM
1 LOW
|
0 | 6 | 0.2% | 93% | +8 |
| 11 | Tenda | 222 | 25 |
4 CRITICAL
19 HIGH
2 MEDIUM
|
0 | 10 | 0.5% | 0% | -44 |
| 12 | Canonical | 216 | 43 |
6 CRITICAL
23 HIGH
13 MEDIUM
1 LOW
|
0 | 8 | 0.3% | 86% | +17 |
| 13 | Nvidia | 200 | 45 |
5 CRITICAL
30 HIGH
10 MEDIUM
|
0 | 1 | 0.2% | 7% | +7 |
| 14 | Mozilla | 198 | 61 |
11 CRITICAL
18 HIGH
31 MEDIUM
|
0 | 2 | 0.2% | 82% | +16 |
| 15 | Nginx | 164 | 32 |
6 CRITICAL
16 HIGH
10 MEDIUM
|
0 | 5 | 0.4% | 78% | +5 |
| 16 | Dell | 164 | 66 |
4 CRITICAL
31 HIGH
28 MEDIUM
3 LOW
|
0 | 0 | 0.3% | 67% | +42 |
| 17 | Ubiquiti | 138 | 25 |
7 CRITICAL
17 HIGH
1 MEDIUM
|
0 | 0 | 0.3% | 100% | +16 |
| 18 | Adobe | 128 | 33 |
7 CRITICAL
6 HIGH
19 MEDIUM
1 LOW
|
0 | 1 | 2.8% | 3% | -52 |
| 19 | Cisco | 125 | 31 |
1 CRITICAL
26 HIGH
4 MEDIUM
|
0 | 1 | 0.7% | 45% | +22 |
| 20 | Hashicorp | 98 | 23 |
3 CRITICAL
11 HIGH
7 MEDIUM
2 LOW
|
0 | 3 | 0.2% | 96% | +8 |
| 21 | Debian | 68 | 14 |
2 CRITICAL
6 HIGH
4 MEDIUM
|
0 | 3 | 0.2% | 100% | +2 |
| 22 | SAP | 54 | 15 |
3 CRITICAL
3 HIGH
8 MEDIUM
1 LOW
|
0 | 0 | 0.3% | 27% | +3 |
| 23 | Jenkins | 48 | 30 |
6 HIGH
23 MEDIUM
1 LOW
|
0 | 0 | 0.2% | 3% | +7 |
| 24 | Fortinet | 47 | 12 |
1 CRITICAL
3 HIGH
8 MEDIUM
|
0 | 0 | 0.3% | 0% | +9 |
| 25 | Juniper | 44 | 22 |
11 HIGH
11 MEDIUM
|
0 | 0 | 0.3% | 100% | +19 |
| 26 | Citrix | 44 | 9 |
7 HIGH
2 MEDIUM
|
0 | 2 | 0.3% | 89% | +9 |
| 27 | Gitlab | 44 | 30 |
2 CRITICAL
4 HIGH
20 MEDIUM
4 LOW
|
0 | 1 | 0.2% | 90% | +4 |
| 28 | D-Link | 31 | 3 |
1 CRITICAL
1 HIGH
1 MEDIUM
|
0 | 2 | 0.7% | 0% | -8 |
| 29 | HP | 30 | 6 |
1 CRITICAL
5 HIGH
|
0 | 0 | 0.2% | 67% | +3 |
| 30 | Elastic | 26 | 16 |
1 CRITICAL
4 HIGH
11 MEDIUM
|
0 | 0 | 0.2% | 50% | +4 |
| 31 | Amd | 20 | 16 |
5 HIGH
7 MEDIUM
|
0 | 0 | 0.2% | 100% | +5 |
| 32 | Atlassian | 18 | 5 |
1 CRITICAL
2 HIGH
2 MEDIUM
|
0 | 0 | 0.2% | 80% | – |
| 33 | Lenovo | 12 | 3 |
1 HIGH
1 MEDIUM
|
0 | 1 | 0.1% | 100% | -1 |
| 34 | Samsung | 10 | 10 |
10 MEDIUM
|
0 | 0 | 0.1% | 30% | -18 |
| 35 | TP-Link | 8 | 4 |
2 HIGH
2 MEDIUM
|
0 | 0 | 0.3% | 100% | -3 |
| 36 | Nokia | 8 | 5 |
2 HIGH
3 MEDIUM
|
0 | 0 | 0.2% | 80% | +5 |
| 37 | Paloalto | 4 | 12 |
1 HIGH
5 MEDIUM
6 LOW
|
0 | 0 | 0.5% | 100% | +5 |
| 38 | Netgear | 0 | 6 |
6 MEDIUM
|
0 | 0 | 0.2% | 83% | -6 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.