Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

On the coordination of vulnerability fixes

An empirical study of practices from 13 CVE numbering authorities

  • Published:
Empirical Software Engineering Aims and scope Submit manuscript

Abstract

The Common Vulnerabilities and Exposures (CVE) program is dedicated to analyzing vulnerabilities, then to assigning a unique ID to them and disclosing the vulnerabilities to affected software vendors. A CVE Numbering Authority (CNA) is a key partner in the CVE program responsible for assigning an official ID to a CVE and registering a description of the vulnerability in order to communicate it to the other CNAs and the affected software vendors. To avoid the disclosure of vulnerabilities before the development of a fix, the CNAs and the affected vendors need to coordinate a proper schedule for the disclosure of vulnerabilities and the release of their fixes through multi-party coordination. This paper analyzes the practices used by CNAs to coordinate on vulnerability fix releases and disclosure by empirically studying the 13 CNAs that assigned the most CVEs from 2010 to 2020 and are also software vendors. Our results show that the studied CNAs discover and assign CVE IDs for the majority of vulnerabilities that affect their own products, which we refer to as self-assigned vulnerabilities. While the vulnerabilities that are assigned for other CNAs’ products, which we refer to as delegated vulnerabilities, tend to be more severe than the self-assigned vulnerabilities, (median Common Vulnerability Scoring System score of 7.5), we observe that their fixes are released at a slower pace. Moreover, when such a delegated vulnerability affects several CNAs’ products, the fixes are released a median of 4 days after the disclosure date, with a median delay between the first and last patch releases of those products of 35 days up to more than one year, which corresponds to a large window of exploitation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Data Availability Statement

The data that support the findings of this study are available on the CVE (cve 2022) and https://www.tenable.com websites.

Notes

  1. https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/

  2. https://www.businessinsider.com/hackers-microsoft-word-flaw-reuters-2017-4

  3. https://cpe.mitre.org/specification/

  4. https://cve.mitre.org/cve/researcher_reservation_guidelines

  5. https://www.cisa.gov/coordinated-vulnerability-disclosure-process

  6. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

  7. https://www.tenable.com/

  8. https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

  9. https://nvd.nist.gov/vuln/data-feeds

  10. Note that we use https://www.tenable.com, since the open-source vulnerability database (OSVDB), which was widely used to study the patch available date for security vulnerabilities (Frei et al. 2006; Shahzad et al. 2012), was shutdown permanently in 2016, https://www.securityweek.com/osvdb-shut-down-permanently.

  11. https://www.mitre.org/about/awards-and-recognition

  12. https://www.redhat.com/ja/about/press-releases/press-bestlinuxsolutions

  13. https://www.dell.com/en-us/blog/dell-software-security-solutions-of-awards-and-honors/

  14. https://blog.bjornweb.nl/2017/02/flash-bypassing-local-sandbox-data-exfiltration-credentials-leak/

  15. https://www.oracle.com/corporate/security-practices/assurance/vulnerability/

  16. https://support.apple.com/en-us/HT201220

  17. https://access.redhat.com/solutions/3711551

  18. https://chromium.googlesource.com/chromium/src//master/docs/security/severity-guidelines.md

  19. https://www.microsoft.com/en-us/msrc/faqs-security-update-guide

  20. https://support.mozilla.org/en-US/kb/managing-firefox-updates

  21. https://nvd.nist.gov/vuln/detail/CVE-2011-3071

  22. https://chromereleases.googleblog.com/2012/04/stable-and-beta-channel-updates.html

  23. https://support.apple.com/en-us/HT202561

  24. https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time

  25. https://www.enisa.europa.eu/news/coordinated-vulnerability-disclosure-towards-a-common-eu-approach

  26. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

  27. https://www.securityweek.com/osvdb-shut-down-permanently

  28. https://nvd.nist.gov/vuln/detail/CVE-2019-14626

  29. https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

References

  • Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in python packages. In: 2021 IEEE International conference on software analysis, evolution and reengineering (SANER’21). IEEE, pp 446–457

  • Allodi L (2017) Economic factors of vulnerability trade and exploitation. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1483–1499

  • Arora A, Krishnan R, Telang R, Yang Y (2010) An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Inf Syst Res 21(1):115–132

    Article  Google Scholar 

  • Arora A, Krishnan R, Nandkumar A, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability-an empirical analysis. In: Third workshop on the economics of information security, vol 24, pp 1268–1287

  • Bhargava G, Chandini, M (2018) Then and now: on the maturity of the cybercrime markets

  • Blocken B (2014) 50 years of computational wind engineering: past, present and future. J Wind Eng Ind Aerodyn 129:69–102

    Article  Google Scholar 

  • Chen X, Zhao Y, Cui Z, Meng G, Liu Y, Wang Z (2019) Large-scale empirical studies on effort-aware security vulnerability prediction methods. IEEE Trans Reliab 69(1):70–87

    Article  Google Scholar 

  • Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2021) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empirical Software Engineering (EMSE’21) 26(3):1–28

    Google Scholar 

  • CNA (online). https://www.cve.org/ProgramOrganization/CNAs. Last Accessed 05 Feb 2022

  • CVE (online). https://cve.mitre.org/. Last Accessed 05 Feb 2022

  • CWE (online). https://cwe.mitre.org/. Last Accessed 05 Feb 2022

  • Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories (MSR’18), pp 181–191

  • Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Ulrich F, Whelan R (2016) Lava: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on security and privacy (SP’16). IEEE, pp 110–121

  • Farhang S, Kirdan MB, Laszka A, Grossklags J (2019) Hey google, what exactly do your security patches tell us? a large-scale empirical study on android patched vulnerabilities. arXiv preprint arXiv:1905.09352

  • Feutrill A, Roughan M, Ross J, Yarom Y (2020) A queueing solution to reduce delay in processing of disclosed vulnerabilities. In: 2020 Second IEEE international conference on trust, privacy and security in intelligent systems and applications. IEEE, pp 1–11

  • Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on large-scale attack defense, pp 131–138

  • Goyal P, Parmar V, Rishi R et al (2011) Manet: vulnerabilities, challenges, attacks, application. IJCEM International Journal of Computational Engineering & Management 11(2011):32–37

    Google Scholar 

  • Grieco G, Grinblat GL, Uzal L, Rawat S, Feist J, Mounier L (2016) Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the sixth ACM conference on data and application security and privacy, pp 85–96

  • Guidelines and practices for multi-party vulnerability coordination and disclosure (online). https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0. Last Accessed 05 Feb 2022

  • Gupta S, Gupta BB (2017) Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. International Journal of Cloud Applications and Computing (IJCAC17) 7(3):1–43

    Article  Google Scholar 

  • Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP’16). IEEE, pp 618–635

  • Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 International conference on security and management (SAM’11), vol 1, pp 10–16

  • Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on security and privacy (SP’06). IEEE, pp 6–pp

  • Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Software Engineering (EMSE’18) 23(1):384–417

    Article  Google Scholar 

  • Lee J, Hong S, Oh H (2018) Memfix: static analysis-based repair of memory deallocation errors for c. In: Proceedings of the 2018 26th ACM Joint meeting on European software engineering conference and symposium on the foundations of software engineering, pp 95–106

  • Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security, pp 2201–2215

  • Liu B, Meng G, Zou W, Gong Q, Li F, Lin M, Sun D, Huo W, Zhang C (2020) A large-scale empirical study on vulnerability distribution within projects and the lessons learned. In: 2020 IEEE/ACM 42nd International conference on software engineering (ICSE’20). IEEE, pp 1547–1559

  • Li Z, Zou D, Xu S, Jin H, Zhu Y, Chen Z (2021) Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing

  • Machiry A, Redini N, Camellini E, Kruegel C, Vigna G (2020) Spider: enabling fast patch propagation in related software repositories. In: 2020 IEEE Symposium on security and privacy (SP’20). IEEE, pp 1562–1579

  • Nakajima A, Watanabe T, Shioji E, Akiyama M, Woo M (2019) A pilot study on consumer iot device vulnerability disclosure and patch release in japan and the united states. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS ’19), pp 485–492

  • Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE symposium on security and privacy (SP’15). IEEE, pp 692–708

  • U.S. national institute of standards and technology. CVSS information (online). https://nvd.nist.gov/vuln-metrics/cvss. Last Accessed 05 Feb 2022

  • National vulnerability database (online). https://nvd.nist.gov/. Last Accessed 05 Feb 2022

  • Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age? In: USENIX security symposium, vol 6, pp 10–5555

  • Piantadosi V, Scalabrino S, Oliveto R (2019) Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on software testing, validation and verification (ICST’19). IEEE, pp 68–78

  • Rafique S, Humayun M, Hamid B, Abbas A, Akhtar M, Iqbal K (2015) Web application security vulnerabilities detection approaches: a systematic mapping study. In: 2015 IEEE/ACIS 16th International conference on software engineering, artificial intelligence, networking and parallel/distributed computing (SNPD’15). IEEE, pp 1–6

  • Ruohonen J (2018) An empirical analysis of vulnerabilities in python packages for web applications. In: 2018 9th International workshop on empirical software engineering in practice (IWESEP’18). IEEE, pp 25–30

  • Ruohonen J, Rauti S, Hyrynsalmi S, Leppänen V (2018) A case study on software vulnerability coordination. Inf Softw Technol 103:239–257

    Article  Google Scholar 

  • Sabottke C, Suciu O, Dumitras T (2015) Vulnerability disclosure in the age of social media: exploiting twitter for predicting \(\{\)Real-World\(\}\) exploits. In: 24th USENIX security symposium (USENIX Security 15), pp 1041–1056

  • Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34th International conference on software engineering (ICSE’12). IEEE, pp 771–781

  • Shin Y, Meneely A, Williams L, Osborne JA (2010) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE transactions on software engineering (TSE’10) 37(6):772–787

    Article  Google Scholar 

  • Sood AK, Bansal R, Enbody RJ (2012) Cybercrime: dissecting the state of underground enterprise. IEEE Internet Comput 17(1):60–68

    Article  Google Scholar 

  • Stock B, Pellegrino G, Rossow C, Johns M, Backes M (2016) Hey, you have a problem: on the feasibility of \(\{\)Large-Scale\(\}\) web vulnerability notification. In: 25th USENIX security symposium, pp 1015–1032

  • Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting "0-day" vulnerability: an empirical study of secret security patch in OSS. In: 2019 49th Annual IEEE/IFIP international conference on dependable systems and networks (DSN’19). IEEE, pp 485–492

  • Wu D, Gao D, Cheng EK, Cao Y, Jiang J, Deng RH (2019) Towards understanding android system vulnerabilities: techniques and insights. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS ’19), pp 295–306

  • Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of C/C++ code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE’21)

  • Zhao M, Grossklags J, Liu P (2015) An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1105–1117

Download references

Author information

Authors and Affiliations

  1. Software Analysis and Intelligence Lab (SAIL), Queen’s University, Kingston, Ontario, Canada

    Jiahuei Lin & Ahmed E. Hassan

  2. Lab on Maintenance, Construction, and Intelligence of Software (MCIS), Queen’s University, Kingston, Ontario, Canada

    Bram Adams

Authors
  1. Jiahuei Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bram Adams
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ahmed E. Hassan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiahuei Lin.

Ethics declarations

Conflict of Interests

The authors declare that they have no conflict of interest.

Additional information

Communicated by: Mehdi Mirakhorli.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lin, J., Adams, B. & Hassan, A.E. On the coordination of vulnerability fixes. Empir Software Eng 28, 151 (2023). https://doi.org/10.1007/s10664-023-10403-x

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10664-023-10403-x

Keywords

Search

Navigation