_
Index |
Vulnerability Ecosystem |
Vulnerability Lifecycle |
Risk Exposure |
Disclosure |
SIP |
Dynamics of (In)security |
News:
Bookmark Page
.
Bookmark Page
Vulnerability Risk Exposure Time
Exposure Phases
The different points in time of vulnerability lifecycle allow us to distinguish different risk exposure phases. During the entire time between discovery and patch implementation, the user of the vulnerable software is at risk. This exposure time can be separated in three phases: the Black Risk, the Gray Risk, and the White Risk. In the table below we describe these phases.
Risk Exposure Phases
Black Risk - Exogenous
- During the time from discovery to disclosure, only a closed group is aware of the vulnerability. This group could be anyone from hackers to organized crime tempted to misuse this knowledge. On the other hand, it could be researchers and vendors working together to provide a fix for the identified vulnerability. We call the risk exposure arising from this period the Black Risk because the vulnerability is known to have a security impact whereas the public has no access to this knowledge.
Gray Risk - Exogenous
- During the time from disclosure to patch the software user waits for the vendor to issue a patch. We call the risk exposure arising from this period the Gray Risk because the public is aware of this risk but has not yet received remediation from the software vendor/originator. However, through the information provided in the disclosure of the vulnerability the organization can assess the individual risk and might implement a workaround until a patch is available.
White Risk - Endogenous
- The time from patch availability to patch implementation. The duration of this period is under control of the organization using the vulnerable software.