Software Engineering Institute

Organizations working on vulnerability mitigation policies could benefit from knowing whether there is publicly available information about how long it took to discover the relationship between a known exploit and the vulnerabilities attackers used to perpetrate it. Despite the value of this information for informing mitigation policies, a record of how many vulnerabilities end up being associated with known exploits, and a historical timeline that indicates, how long it takes to make those associations is not available.

To investigate these timelines and how exploits become associated to vulnerabilities, the authors of this paper analyzed all vulnerabilities with CVE-IDs that became available since the two common repositories of public exploit data were created. Results of this analysis show that 4.1% (±0.1%) of CVE-IDs are associated to a public exploit code within 365 days of the exploits’ occurrence.

The authors analyzed eight features of a CVE-ID for how they influence exploit publication. Some categories of vulnerabilities (CWE) are much more likely to have exploit code published than others. The vendor of the code is a sporadic predictor of exploit publication likelihood. A greater number of vendors involved in a CVE-ID does not appear to affect exploit publication. CVSS score, commonness of the CWE, and how recently the CVE-ID was published all slightly increase the exploit publication likelihood; the confidence intervals for the size of these three affects overlap.

Of the 75,807 vulnerabilities studied, 3,164 were associated with public exploits over the six-year study; for those associated with exploits, the median time to publication is 2 days, though the mean time is 91 days.

The paper was presented on August 10, 2020, at the USENIX Workshop on Cyber Security Experimentation and Test (CSET '20).