Sources reporting include easily accessible sites such as news media, blogs, and social media pages as well as more remote areas of the internet including the dark web and criminal forums.
This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them open to potential exploits and unable to make strategic and informed decisions on their security strategy. In addition, the vulnerability content available on the dark web illustrates that the adversary community is actively monitoring and acting on the sources initially releasing vulnerability information.
The data, gathered from the beginning of 2016, shows that there’s a median lag of seven days between a CVE being revealed to being published on the NIST’s NVD. This time lag also significantly differes between vendor announcements and NVD publishing, with the fastest on average one day later and the slowest published with a 172 day average delay.
