Change search
ReferencesLink to record
Permanent link

Direct link
Time between vulnerability disclosures: A measure of software product vulnerability
KTH, School of Electrical Engineering (EES), Electric power and energy systems.ORCID iD: 0000-0002-3293-1681
KTH, School of Electrical Engineering (EES), Electric power and energy systems.ORCID iD: 0000-0003-3089-3885
KTH, School of Electrical Engineering (EES), Electric power and energy systems.ORCID iD: 0000-0003-3922-9606
2016 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 62, 278-295 p.Article in journal (Refereed) Published
Abstract [en]

Time between vulnerability disclosure (TBVD) for individual analysts is proposed as a meaningful measure of the likelihood of finding a zero-day vulnerability within a given timeframe. Based on publicly available data, probabilistic estimates of the TBVD of various software products are provided. Sixty-nine thousand six hundred forty-six vulnerabilities from the National Vulnerability Database (NVD) and the SecurityFocus Vulnerability Database were harvested, integrated and categorized according to the analysts responsible for their disclosure as well as by the affected software products. Probability distributions were fitted to the TBVD per analyst and product. Among competing distributions, the Gamma distribution demonstrated the best fit, with the shape parameter, k, similar for most products and analysts, while the scale parameter, 8, differed significantly. For forecasting, autoregressive models of the first order were fitted to the TBVD time series for various products. Evaluation demonstrated that forecasting of TBVD on a per product basis was feasible. Products were also characterized by their relative susceptibility to vulnerabilities with impact on confidentiality, integrity and availability respectively. The differences in TBVD between products is significant, e.g. spanning differences of over 500% among the 20 most common software products in our data. Differences are further accentuated by the differing impact, so that, e.g., the mean working time between disclosure of vulnerabilities with a complete impact on integrity (as defined by the Common Vulnerability Scoring System) for Linux (110 days) exceeds that of Windows 7 (6 days) by over 18 times.

Place, publisher, year, edition, pages
Elsevier, 2016. Vol. 62, 278-295 p.
Keyword [en]
Software vulnerability, Time between vulnerability disclosures, Distribution fitting, Time series analysis, Information security, Cyber security
National Category
Computer and Information Science
URN: urn:nbn:se:kth:diva-196623DOI: 10.1016/j.cose.2016.08.004ISI: 000386408600017ScopusID: 2-s2.0-84983756963OAI: diva2:1047378
EU, FP7, Seventh Framework Programme, 607109

QC 20161117

Available from: 2016-11-17 Created: 2016-11-17 Last updated: 2016-11-17Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Johnson, PontusLagerström, RobertEkstedt, Mathias
By organisation
Electric power and energy systems
In the same journal
Computers & security (Print)
Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 7 hits
ReferencesLink to record
Permanent link

Direct link