Dynamics of (In)Security

Analysis of the Vulnerability Ecosystem

An interesting aspect of our analysis is the direct comparison of the distributions of the discovery date, patch availability and exploit availability. Our methodology is as follows: We normalize the event-dates to the disclosure date of the vulnerability. Then we plot the discovery, exploit and patch availability dates relative to the disclosure date (scatter plot, CDF).
Plot Methodology

Discovery Date Analysis

Vulnerability Discovery Date Distribution

Measure of Black Risk
15% of vulnerabilities known to insiders 30 or more days before disclosure (less-than-zero-day).
Vulnerabilities not yet known to the public are systematically used by:

Hackers
Spammers and Phishers
Governments (Bundestrojaner?)

Exploit Date Analysis

High dynamics at the disclosure date (zero-day exploit)
Exploit availability jumps from 10% to 80% at disclosure date
New exploits are readily assessed by security information providers

Patch Date Analysis

Measure of Grey Risk
At disclosure, only 50% of the vulnerabilities have a patch
A month after disclosure, still 30% unpatched vulnerabilities

Dynamics of (In)Security

Difference between the exploit (red) and patch (green) curves shows the imbalance in favor of insecurity
The Bad are consistently faster than the Good