More than 75% of vulnerabilities are publicly disclosed online before their official publication on the NIST's centralized National Vulnerability Database (NVD), reports Recorded Future.
The threat intelligence firm conducted research on more than 12,500 disclosed Common Vulnerabilities and Exposures (CVEs) from early 2016. It discovered a median time lag of seven days before vulnerabilities were shared to the NVD. Vulnerabilities are first posted to easily accessible sites like blogs, news sites, and social media pages, as well as remote parts of the Internet like the dark web and criminal forums.
More than 1,500 information security sources, from blogs to adversary sources, reported on vulnerabilities before their official release. Five percent of flaws are discussed on the dark web prior to NVD publication, and are more severe than anticipated.
This seven-day time gap between unofficial and official publication leaves businesses exposed to potential exploits. Adversaries are monitoring and acting on vulnerability information before CISOs and security teams have time to act on them.
Read more details here.