Most vulnerability first disclosed online and in the darknet
More than three-fourths of the vulnerabilities disclosed online before making the National Vulnerability Database (National Vulnerability Database, NVD).
News sites, blogs, and social networks, as well as the darknet details about security issues in the software, are published more frequently than in the NVD. That is the conclusion reached by experts of the company Recorded Future based on the analysis of the collected at the beginning of 2016 data on more than 12.5 thousand Vulnerabilities.
According to the researchers, the average difference between the disclosure of a vulnerability on the Internet and its introduction in the NVD is seven days. During these seven days, organizations are at great risk of cyber attacks, which casts doubt on the reliability of official vulnerability disclosure channels, experts say. The gap between the output of the notification about the vulnerability from the manufacturer, and making it to the NVD can be even greater.
Each 20th vulnerability (5%) appears in the darknet before it enters the NVD. For example, PoC-exploit vulnerabilities for Dirty Cow (CVE-2016-5195) was published on Pastebin 15 days before NVD. After just two days from the date of publication of the Pastebin post was translated into Russian and published on hacker forums. More than 500 disclosed vulnerabilities last year, has not yet been included in the NVD.
The National Vulnerability database – developed by the Institute of Standards and Technology government centralized data repository for managing vulnerabilities.