A recent report highlights the time gaps between various stages of the vulnerability disclosure process, which can leave organizations vulnerable to attacks. The average delay between initial vulnerability disclosure and publication to the NVD is approximately 15 days, which means organizations relying on NVD may miss critical vulnerability information for over two weeks. This delay poses serious risks as attackers can exploit vulnerabilities within this timeframe without defenders being aware.
Furthermore, the importance of proof-of-concept (PoC) publications has been underscored. Over half of the analyzed vulnerabilities had a PoC published within just seven days of initial disclosure, while both the time to PoC publication and the subsequent exploitation can exacerbate risks significantly. Understanding these timelines is crucial for security teams, as each party involved in the process—like MITRE and NIST—has an impact on how quickly vulnerabilities become known. This dynamic can result in perilous blind spots for organizations.
In light of these findings, organizations need to enhance their vulnerability management strategies. Relying solely on NVD data can lead to severe delays and increased chances of exploitation. Establishing real-time monitoring systems and utilizing multiple data sources to track vulnerabilities are essential steps to mitigate these risks effectively. By understanding and addressing the vulnerabilities in the disclosure process, organizations can better protect themselves against potential breaches.
👉 Pročitaj original: Tenable Research
