The lifecycle of vulnerabilities: why timing is everything

The lifecycle of vulnerabilities: why timing is everything

How vulnerabilities are discovered, disclosed and dispatched makes a significant difference to risk management. And new research says we’re getting it wrong. Mark Mayne investigates…

Vulnerability management is vital for security teams: the volume of vulnerabilities rises daily and organised gangs are actively seeking out and exploiting unpatched networks. 

While the vulnerability disclosure and management industry is maturing rapidly, with an increasing uptake of bug bounty services helping hugely alongside improvements in automated tools, recent research has found that key assumptions behind some of the fundamental strategies – such as responsible disclosure – have flaws. 

One of the key discoveries was that responsible disclosure of a vulnerability before a patch is ready does not have the desired effect: companies do not respond with a sense of urgency. On average, attackers gain a 47-day advantage over defence teams when investigators release an exploit ahead of a patch’s availability. 

share