
Security News
New Website “Is It Really FOSS?” Tracks Transparency in Open Source Distribution Models
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Sarah Gooding
July 7, 2025
Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published.
Inspired by community efforts like vuln4cast and quarterly vulnerability reports from FIRST.org, Gamblin built the tool over a long weekend as a personal project. He is inviting feedback from security professionals to help improve its accuracy and usability.
“This was a passion project, and it's my first step in this area,” Gamblin wrote on LInkedIn. “I'm eager for the community's feedback to make it better.”
CVEForecast predicts that 2025 will end with 46,886 published CVEs. That figure would represent the highest number of CVEs recorded in a single year, continuing an upward trend in disclosure volume. The forecast combines published data through June 2025 with projections for the second half of the year, using XGBoost as its most accurate model.
According to the tool:
This would result in a 37 percent increase over the estimated 34,000 CVEs disclosed in 2024, and a near doubling of the number disclosed in 2022.
CVEForecast evaluates 20 different forecasting models using a dataset of over 285,000 CVEs published between September 1999 and July 2025. XGBoost ranks highest for forecast accuracy, with a Mean Absolute Error of 196 CVEs and a Mean Absolute Percentage Error of 4.8 percent. Other high-performing models include CatBoost, NHiTS, and KalmanFilter, though all had slightly higher error rates.
Model predictions for the first half of 2025 were close to observed data. For example, the forecast for February was off by just 33 CVEs, and June came within 28. The January prediction showed the highest deviation, missing by 466 CVEs.
While the current public forecast ends in January 2026, the projected trend suggests that annual CVE volumes could surpass 50,000 within the next year. The model shows no sign of seasonal dips or slowdown in disclosure activity.
If current patterns hold, the growth of CVE disclosures will continue to strain vulnerability triage processes, patch management, and risk scoring systems across the industry. Tools that help prioritize based on reachability or exploitability will become increasingly essential to avoid being overwhelmed by the volume.
Gamblin has positioned CVEForecast as a starting point for deeper exploration of these trends. With a transparent methodology and a community-driven roadmap, the tool offers a new way to anticipate the scale of the software vulnerability landscape.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Security News
Astral unveils pyx, a Python-native package registry in beta, designed to speed installs, enhance security, and integrate deeply with uv.
Security News
The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.