Minimus Has 95% Fewer CVEs—Here’s How We Back That Up (and More)

If you’ve browsed our website, or visited us at RSAC this year, you’ve seen us make a number of claims in our marketing that cite specific numbers, either about Minimus itself or other aspects of cybersecurity. 

In this post, we’re pulling back the curtain on where each of those statistics came from. Where it’s our own work or research, we’ll talk through the method. Where we’ve borrowed from others, we’ll give credit where it’s due. 

‍

Claim #1: Minimus Reduces 95% of CVEs.

Our CVE reduction calculation is straightforward. For each image in the Minimus gallery, we continuously monitor the publicly available equivalent on DockerHub and display the CVE breakdown of the public image side-by-side with the Minimus image.  

We use the following formula:  (# of CVEs in the DockerHub Image - # of CVEs in the Minimus Image) / # of CVEs in the DockerHub Image 

This gives us the reduction percentage for an individual image, which we then average across all images to arrive at our overall figure.

‍

‍

‍

Of course, this number changes every time a new CVE is found, a CVE is fixed, or we add a new image to Minimus. As of this post, the average CVE reduction is 98%. 

To ensure we stay conservative in our messaging, we subtract a few percentage points off the lowest number we’ve seen in the past 90 days. That modified number is what we use in our marketing collateral.

‍

Claim #2: Only 10% of Vulnerabilities Are Remediated.

This is credited to the team at Cyentia and their excellent study on organizational capacity for vulnerability remediation that’s published over at Cisco’s website. The report covers several topics, like remediation velocity, but the most eye-opening for us was the deep look at the capacity organizations have to remediate vulnerabilities.

They calculated capacity by looking at the ratio of open to closed vulnerabilities on a monthly basis, and found compelling evidence (the R2 is 0.93 IYKYK) that only 10% of vulnerabilities actually get remediated.

‍

‍

An additional sobering takeaway from this report was that half of the organizations studied showed signs of remediation capacity decreasing over time as new vulnerability rates continue to rise. This speaks to the challenges we hear from customers, who talk about the rapid rise in vulnerabilities as they’ve moved to cloud native solutions for building and delivering applications.  

If you’re interested in reading more on this topic, we’d suggest our very own Neil Carpenter’s Zen and the Art of Vulnerability Prioritization that he authored during his time with our friends at Orca Security. 

‍

Claims #3-5 aka “The Deck Numbers” 

‍

These three metrics come straight from the introduction deck we use when talking to someone that’s curious about what Minimus does and why it matters. They highlight the scope and cost associated with managing risks from CVEs.

• 81% of open source software contains a critical CVE. This is from BlackDuck’s latest Open Source Security and Risk Analysis report, released earlier this year. They also found that 97% of commercially available software contains open source software.  
• The average container has 240 high or critical CVEs in it. This came from NetRise in the second edition of their Software Supply Chain Visibility and Risk Study, released in February of this year. They surveyed 250 of the most popular images on DockerHub and found that the average container has 604 vulnerabilities, with 40.9% being critical or high severity. We did the math on our end (604 x 40.9%) to arrive at the final number of around 240 high or critical CVEs.
• Organizations spend $28k per developer per year on managing CVEs. This whopping price tag comes from a late 2024 report by JFrog and IDC that surveyed organizations with over 1,000 employees in the United States and Europe. The cost includes time spent triaging, prioritizing, and remediating vulnerabilities—and it adds up quickly.

‍

Seen Enough Stats? Let’s Talk About Yours

The numbers make it clear: reducing vulnerabilities upfront lowers both risk and long-term management costs. We’ve shown you where our marketing stats come from—if you want to learn more about any of these claims or see how much Minimus can reduce your CVE risk, request a demo from our team today.

‍