14 DAY TRIAL // Discovered vulnerabilities are most often first reported over news sites, blogs, social media pages and the dark web, or paste sites, before being published in NIST's National Vulnerability Database (NVD).
Reporting vulnerabilities is essential for everyone's online security, and this is something that often happens with most companies - researchers dig deep, find something that's not right, exploit it, and report it to the company so they can fix it. This scenario makes us all safer when browsing the Internet, using apps and tools.
Threat intel firm Recorded Future, however, has noticed that a lot of these vulnerabilities are first discussed online before even being reported or making it into the NVD.
"The disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy," the firm writes in its report.
According to its report, after looking at data from the beginning of 2016, analyzing more than 12,500 security bugs, the median lag between a CVE being revealed to ultimately being published in the National Vulnerability Database was of seven days. That's one week in which threat actors could find a way to exploit that bug before the affected company even has a chance to start fixing the problem.
This time lag of seven days between public disclosure and official notification puts organizations at significant risk of threats and makes us all question whether official disclosure channels are reliable.
The rich dark web database
Details about 5% of vulnerabilities were posted on the dark web ahead of the NVD release and had higher severity levels than expected. One example given is the Dirty Cow vulnerability (CVE-2016-5195), whose proof of concept was dumped on Pastebin 15 days before NVD publication, while the original security report got translated into Russian and posted on an exploit forum two days after the initial release.
Recorded Future notes that over 500 CVEs that were first reported online in 2016 are still awaiting to be published in the database.
This is more than enough proof that the NVD and official reporting channels are just overwhelmed with the number of vulnerabilities discovered in the wild. Recorded Future notes that organizations need to adopt a proactive and risk-based approach to addressing vulnerabilities, including by making use of information from dark web sites which are, more often than not, the first to see and discuss such threats.