New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.
The research was conducted by Kenna Security, the enterprise leader in risk-based vulnerability management, and the Cyentia Institute. It examines how the common practices among security researchers impact the overall security of corporate IT networks. The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.
“The debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, founder and CTO of Kenna Security. “However, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favour of attackers or defenders.”
Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don’t or can’t install it before attackers make their move. For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.
At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities. When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don’t engage, declining to create a patch or notify users of a vulnerability.
In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.
To examine this industry practice, researchers at the Cyentia Institute relied on data from Kenna Security, and multiple independent data sources. The team examined 473 vulnerabilities disclosed in 2019 with evidence of exploitation in the wild.
The analysis also found that:
- When exploit code is publicly released before a patch, attackers get, on average, a 47 day head start
- Only 6% of those exploits were detected by more than 1/100 organisations
- Exploit code was already available for over 50% of the vulnerabilities in our sample by the time they were published to the CVE List
- In great news for defenders, over 80% of exploited vulnerabilities have a patch available prior to, or along with, CVE publication
- About one-third of vulnerabilities have exploit code published before a patch is made available
- About 7% of vulnerabilities are exploited before a CVE is published, a patch is available, and exploit code is released
“For decision-makers and researchers across the cybersecurity community, this research provides a vital, never before seen window into the lifecycle of vulnerabilities and exploitations,” said Jay Jacobs, partner and co-founder of Cyentia Institute. “These findings offer prominent paths for future research that could ultimately make the IT infrastructure more secure.”
Despite the strong relationship between disclosure of exploitation code and weaponisation, the research requires some caveats. It’s possible that release of exploit code doesn’t facilitate exploitation, but detection of exploits in the wild, because the release of the code enabled faster creation of anti-virus signatures.
“This new report reignites the conversation on responsible disclosure. More research will help draw more definitive conclusions, but for now, we can say that where there’s smoke, there’s fire,” said Wade Baker, partner and co-founder of Cyentia Institute. “Release of exploit code before a patch seems to have a negative effect on corporate security.”