According to CVEdetails.com, there were 6447 CVEs in 2016. In 2017 there were 14714 CVEs. That's 128% more than in 2016. Further, in 2018 it became even more with 16555 CVEs. A single peak in one year might happen but a second, even higher peak in the following year seems odd for me.
Is there a special reason why the number of CVEs increased so much since 2017?
Until 2016, MITRE was having trouble assigning CVEs. The process was cumbersome, it took a very long time, and more often than not, researchers simply didn't get a CVE assigned.
In 2017, MITRE changed their assignment process. They created a web form, and are now assigning CVEs in a matter of hours or days. They also outsourced the assignment of CVEs for open source projects to the DWF.
So the spike you are seeing doesn't necessarily mean that more vulnerabilities have been discovered, but just that more researchers apply for and successfully get CVEs. The further increase in 2018 might be explained by more researchers realizing that it is once again possible to easily get CVEs, so even more researchers request them instead of just going without a CVE.
