How we compute trends

Definitions

Period

Calendar month (UTC) or ISO week. A period is "complete" when its end timestamp is in the past.

Total CVEs

Distinct CVE IDs whose date_published falls inside the period. For the in-progress period the headline number is linearly projected to the full window — marked with · proj.

KEV added

CVEs CISA added to the Known Exploited Vulnerabilities catalog within the period. "Ransomware-linked" counts where CISA's ransomware_campaign_use = 'Known'.

Critical

CVSS-derived priority bucket from the unified scoring layer — typically CVSS ≥ 9.0.

Newcomer

Vendor in the current top-100 that did not appear in top-100 in any of the prior 24 periods.

Breakout factor

Vendor's current CVE count divided by its 12-period median. Flagged as a breakout at ≥3×.

Rank delta

Movement vs the previous period: ↑ climbed (lower rank number = higher position), ↓ fell.

Detection gap

Vendors with KEV pressure (≥1 KEV in the period) and zero Nuclei templates. Computed client-side from the period's vendor list.

CWE × Vendor

Sparse co-occurrence matrix: distinct CVE IDs joined on affected_json.vendor and weaknesses_json.cwe_id. NVD placeholder CWEs are excluded.

Median days → Nuclei

For CVEs published in the period that received a Nuclei template, the median delay from CVE publish to template publish.

Reproducibility

Every published report is keyed by (period_type, period_start, version). Version bumps when methodology changes — older versions remain accessible. Republishing a snapshot does not overwrite the read API: previous cache keys are abandoned via a trends:cache_version stamp; consumers either keep the response they have or fetch fresh.

The full HTTP API is unauthenticated. See /api/public/trends.