Most vulnerabilities first blabbed about online or on the dark web
Official bug notice? Sure, but not before I get cred and LOLs
More than three-quarters of vulnerabilities are publicly reported online before National Vulnerability Database publication.
News sites, blogs and social media pages as well as more remote areas of the web including the dark web, paste sites, and criminal forums first published bugs more often than NIST's1 centralised National Vulnerability Database (NVD).
"This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy," according to threat intel firm Recorded Future.
Data taken from the beginning of 2016, and based on an analysis of more than 12,500 security bugs, showed that the median lag was seven days between a CVE2 being revealed to ultimately being published on the NIST's NVD.
The typical time lag of seven days between public disclosure and official notification places organisations at significant risk of threats and calls into question the reliability of official disclosure channels, according to Recorded Future. The time lag between vendor announcements and NVD publishing can be been longer, with the fastest vendor pushing out alerts on average one day later and the slowest publishing with a 172 day average delay. Microsoft and Adobe are quick while IBM and Apache are low.
Gaps between initial vulnerability announcement and NVD release, by vendor [source: Recorded Future blog post]
One in 20 (5 per cent) of vulnerabilities were detailed in the dark web prior to NVD release and these have higher severity levels than expected. For example, the Dirty Cow vulnerability (CVE-2016-5195), whose proof-of-concept (POC) was posted to Pastebin 15 days before NVD publication. The original security report was translated to Russian and posted on an exploit forum two days after the report was first released.
More than 500 CVEs first reported online in 2016 are still awaiting NVD publication, Recorded Future reports.
Christopher Ahlberg, chief exec at Recorded Future, said: "There has long been a belief that there is a significant time delay between the unofficial and official sources for vulnerability disclosure. This research clearly indicates that the NVD and official reporting channels aren't able to keep pace with the volume of CVEs in the wild. Organisations need to look to other sources to apply meaningful and actionable intelligence if they are to protect their organisations."
Recorded Future concludes that organisations need to adopt a proactive and risk-based approach to addressing vulnerabilities, utilising intelligence from sites that are more difficult to access, such as the dark web, but that are the first to see chatter on new threats and potential zero-days. ®
1NIST - The US National Institute of Standards and Technology.
2CVE - Common Vulnerabilities and Exposure, the security bug cataloguing system.