• Stefan Frei, Martin May



  • June 22, 2008, FIRST Conference, Vancouver, 2008


To be able to take notice of new vulnerabilities, business and enterprizes need accurate and validated information from a trusted source. CERT’s and private sector service offerings provide such information through the publication of vulner- ability advisories. The quality, quantity, and disclosure time of such advisories varies considerably between sources. By monitoring relevant security sites on 30-minute intervals for more than 18 months, we collected a unique dataset to compare CERT’s and private offerings. In addition, we also col- lected data from well known exploit sites.

As an independent research institute, we present an un- biased analysis of the performance of CERT’s and security information providers from the private sector. We show the evolution of the number of disclosures, number of references to CVE, the risk metrics used, and the timeliness of publica- tion over the year, day of week and time of day. Correlat- ing the advisories based on the CVE as a unique vulnera- bility identifier allows us to compare the advisory providers against each other. Further, we compare the advisory data with the rate of exploit publications. We find differences be- tween the advisory providers and offer an interpretation. We revisit the vulnerability lifecycle with respect to our findings and examine their impact in the context of the full disclo- sure debate. We conclude that having multiple independent advisory providers is very important to the security society. Collectively, they serve as an efficient watchdog monitoring the (in)security scene, providing thread information in a us- able format for businesses.