Known exploited vulnerabilities by market cap
It’s easy to criticize vendors for the number of known exploited vulnerabilities in their software, but raw counts lack context. A company with 100 software products will naturally have more vulnerabilities than one with a smaller portfolio. However, product count alone doesn’t account for a company’s size or resources.
Microsoft is a prime example: as of this writing, it accounts for 311 entries in CISA’s Known Exploited Vulnerabilities (KEV) catalog—25% of all entries. This is often dismissed because of Microsoft’s size and expansive product portfolio. However, a common counterpoint is that its scale affords the company more resources for product security than most.
How do we perform a simple comparison of product security effectiveness across organizations of various sizes, making different types of products for different types of customers? We use the great equalizer: United States Dollars.
Here’s how the CISA KEV leaderboard—specifically the 10 publicly traded companies with the most KEV entries—appears when normalized by market cap:
| Vendor | KEVs | Market Cap (USD) | KEVs per Billion in Market Cap |
|---|---|---|---|
| D-Link | 20 | $13,310,000,000 | 1.503 |
| Adobe | 73 | $181,670,000,000 | 0.402 |
| Cisco | 74 | $236,300,000,000 | 0.313 |
| Fortinet | 15 | $70,890,000,000 | 0.212 |
| Atlassian | 13 | $64,200,000,000 | 0.202 |
| Microsoft | 311 | $3,090,000,000,000 | 0.101 |
| Oracle | 38 | $437,190,000,000 | 0.087 |
| 60 | $2,330,000,000,000 | 0.026 | |
| Apple | 77 | $3,510,000,000,000 | 0.022 |
| Citrix | 16 | $1,050,000,000,000 | 0.015 |
Updated 2025-01-14
Nothing is perfect, but this approach offers a fair way to compare product security effectiveness without relying on subjective or manipulatable criteria. A known exploited vulnerability represents an objectively poor security outcome. Using market cap as the denominator avoids debates over distinctions like product lines, software versions, platforms, and more.