Security-related vulnerability life cycle analysis
Résumé
This paper deals with the characterization of security-related vulnerabilities based on public data reported in the Open Source Vulnerability Database. We focus on the analysis of vulnerability life cycle events corresponding to the vulnerability discovery, the vulnerability disclosure, the patch release, and the exploit availability. We study the distribution of the time between these events considering different operating systems (Windows, Unix, Mobile OS), and different attributes such as the vulnerability impact on confidentiality, integrity or availability, the access vector reflecting how the vulnerability is exploited, and the complexity of the exploit. The results obtained highlight some interesting trends and behaviours, concerning, e.g. the time between the disclosure of a vulnerability and the availability of a patch or of the exploit, that are sometimes specific to the considered operating system or the vulnerability attributes. The results are also aimed at providing useful inputs to security risk assessment and modelling studies.
Origine : Fichiers produits par l'(les) auteur(s)
Loading...