Majority of vulnerabilities appear online before official databases

New research from threat intelligence company Recorded Future reveals that of 12,500 disclosed Common Vulnerabilities and Exposures (CVEs), more than 75 percent were publicly reported online before they were published to the NIST's centralized National Vulnerability Database (NVD).

Sources reporting include easily accessible sites such as news media, blogs, and social media pages as well as more remote areas of the internet including the dark web and criminal forums.

This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them open to potential exploits and unable to make strategic and informed decisions on their security strategy. In addition, the vulnerability content available on the dark web illustrates that the adversary community is actively monitoring and acting on the sources initially releasing vulnerability information.

The data, gathered from the beginning of 2016, shows that there's a median lag of seven days between a CVE being revealed to being published on the NIST's NVD. This time lag also significantly differes between vendor announcements and NVD publishing, with the fastest on average one day later and the slowest published with a 172 day average delay.

"There has long been a belief that there is a significant time delay between the unofficial and official sources for vulnerability disclosure," says Christopher Ahlberg, CEO at Recorded Future, comments. "This research clearly indicates that the NVD and official reporting channels aren't able to keep pace with the volume of CVEs in the wild. Organizations need to look to other sources to apply meaningful and actionable intelligence if they are to protect their organizations."

Among detailed findings are that more than 1,500 sources reported on vulnerabilities prior to release, including information security sources like blogs or social feeds and adversary sources on the dark web. Five percent of vulnerabilities are detailed in dark web prior to NVD release and these have higher severity levels than expected.

Of vulnerabilities published to the dark web 30 percent are in non-English languages. Plus, over 500 CVEs first reported online in 2016 are still awaiting NVD publication.

You can find out more about the results including a typical CVE lifecycle on the Recorded Future site.

Photo Credit: adike/Shutterstock