A recent report raises questions about the software vendors’ responsibilities and claims that detected more than 400,000 Vulnerabilities across software vendors. The virtual appliances often get used to providing IT security functions like firewalls, encryption, and secure gateways. It aims to eliminate the need for dedicated hardware and can get deployed on cloud platforms.

Virtual appliances often reach consumers ready to be deployed to public and private cloud environments. Most consumers believe that virtual devices are safe and secure, free from security risks, but Orca’s report proves otherwise.

The research, conducted in April-May 2020, shows that 2,218 virtual appliances from 540 vendors got scanned and checked for known vulnerabilities and risks. The researchers ranked every appliance according to a scoring system designed for this research.

It is a good idea to encrypt your data before sending it to any virtual appliance. On the diagram you can see the standard hybrid encryption protocol using symmetric and asymmetric cryptography schemes. It offers good level of additional security.

The number of total discovered vulnerabilities is just over 400,000. The appliances received grades from A+ (exemplary) to F (failure). Only a mere 8% of products scored an A+, while 24% got an A as ‘well-maintained,’ 12% received a B as ‘above average,’ 25% were ‘mediocre’ with a C, 16% got a D as ‘poor,’ and 15% ‘failed’ with an F.

Interestingly enough, some vendors had products with an A and A+ and landed an F mark.

Correlation quality/price

Another exciting discovery by the report was that price doesn’t directly correlate with security. More expensive products don’t necessarily offer more protection. 1,489 of the products charged an average of $0.3/hour, while 510 were free, many of which were also open-source. The highest charge for appliances, which got tested in the report, was $3.00/hour. Free products received an average security score of 77.58, while fee-based ones got a 77.38.


It should come as no surprise that, as products get outdated, their vulnerability increases. Updates are essential as they can fix vulnerabilities when done regularly. The report discovered that 110 products received no updates for at least three years, 1,049 in the last year and only 312 got updated over the previous three months. Only 64 had received updates in the past month.


Upon finishing the scans and grading process, the vendors received emails with the findings. All the vendors got contacted, but only 80 responded. Though the responses ranged, many confirmed they had taken remedial action. As a result, 287 products have received updates, and 53 got removed from distribution. Even though these numbers may seem unimpressive, that meant 36,938 (out of 401,571) discovered vulnerabilities got addressed. After a rescan, products that initially received an F ranking had improved their ranking to an A or A+.

The report also presents a few recommendations to help organizations reduce risks posed by virtual appliances. Among them are asset management and vulnerability management tools. Asset management helps to keep track of virtual devices, while vulnerability management tools assist in finding weaknesses.

Orca made sure to include in its report that all the data presented is a mere guide. A vendor’s top score doesn’t equate to a risk-free guarantee on all its virtual appliances. As already mentioned, some vendors have products with both the top and the lowest scores.