Historical Analysis of Exploit Availability Timelines
Allen D. Householder, Carnegie Mellon University; Jeff Chrabaszcz, Govini; Trent Novelly, Carnegie Mellon University; David Warren, SEI CERT; Jonathan M. Spring, Carnegie Mellon University
Vulnerability management is an important cybersecurity function. Within vulnerability management, there are multiple points where knowing whether an exploit targeting a given vulnerability is publicly available would inform vulnerability mitigation priority. Despite the value of this question, there is no available historical baseline of when and how many vulnerabilities get associated public exploits. We analyze all vulnerabilities with CVE-IDs since two common repositories of public exploit data became available and find that 4.1+/-0.1% of CVE-IDs have public exploit code associated with them within 365 days. We analyze eight features of a CVE-ID for how they influence exploit publication. Some categories of vulnerability (CWE) are much more likely to have exploit code published than others. Vendor is a sporadic predictor of exploit publication likelihood. More vendors involved in a CVE-ID does not appear to affect exploit publication. CVSS score, commonness of the CWE, and how recently the CVE-ID was published all slightly increase the exploit publication likelihood; the confidence intervals for the size of these three effects overlap. Of 75,807 vulnerabilities studied, 3,164 had public exploits over the whole six year study; for those with exploits, the median time to publication is two days, though the mean time is 91 days.
View the full CSET '20 program at https://www.usenix.org/conference/cset20/workshop-program