Historical Analysis of Exploit Availability Timelines
August 2020 • White Paper
Allen D. Householder, Jeff Chrabaszcz (Govini), Trent Novelly, David Warren, Jonathan Spring
This paper analyzes when and how known exploits become associated with the vulnerabilities that made them possible.
Software Engineering Institute
Organizations working on vulnerability mitigation policies could benefit from knowing whether there is publicly available information about how long it took to discover the relationship between a known exploit and the vulnerabilities attackers used to perpetrate it. Despite the value of this information for informing mitigation policies, a record of how many vulnerabilities end up being associated with known exploits, and a historical timeline that indicates, how long it takes to make those associations is not available.
To investigate these timelines and how exploits become associated to vulnerabilities, the authors of this paper analyzed all vulnerabilities with CVE-IDs that became available since the two common repositories of public exploit data were created. Results of this analysis show that 4.1% (±0.1%) of CVE-IDs are associated to a public exploit code within 365 days of the exploits’ occurrence.
The authors analyzed eight features of a CVE-ID for how they influence exploit publication. Some categories of vulnerabilities (CWE) are much more likely to have exploit code published than others. The vendor of the code is a sporadic predictor of exploit publication likelihood. A greater number of vendors involved in a CVE-ID does not appear to affect exploit publication. CVSS score, commonness of the CWE, and how recently the CVE-ID was published all slightly increase the exploit publication likelihood; the confidence intervals for the size of these three affects overlap.
Of the 75,807 vulnerabilities studied, 3,164 were associated with public exploits over the six-year study; for those associated with exploits, the median time to publication is 2 days, though the mean time is 91 days.
The paper was presented on August 10, 2020, at the USENIX Workshop on Cyber Security Experimentation and Test (CSET '20).