Blog
Why Vulnerability Management Teams Need to Patch Faster to Stay Ahead of Exploitation
Table Of Contents
KEY TAKEAWAY
Flashpoint has found that the interval between disclosure and exploit availability appears to be shrinking. Security teams should make an effort to patch as soon as a fix is available. Organizations can maximize limited resources by improving their vulnerability identification and prioritization processes.
To protect the organization against cyber attacks, Vulnerability Management teams prioritize vulnerabilities for remediation, so that they can be addressed before threat actors can exploit them. However, security teams are reliant on how quickly vendors can produce solutions to identified vulnerabilities. To make matters more difficult, Flashpoint research shows that the time between disclosure and exploit availability is shortening, suggesting that organizations will have less time to patch. If they are not prepared, remediation processes could become incredibly strained.
Looking at each day over the last five years, as a rolling average, the time between vulnerability disclosure and exploit publication is shrinking. The takeaway is that patch teams must react more quickly to stay ahead of potential exploitation. This shorter interval could mean multiple things for organizations—being that available solutions, or that in some cases, workable exploits could be arriving more quickly.
How is the Shrinking Exploit Window Changing Vulnerability Management?
While current data shows that the time between disclosure and patch release is decreasing, there is not an overall trend of threat actors creating exploits faster. Exploit publication is more unpredictable, and examining it more closely suggests that the overall decrease shown in the figure above is mainly due to faster patch availability, and not to rapid development of exploits:
| Time Unpatched (average days) | Time to Exploit (average days) | Disclosure to Exploit (average days) | |
|---|---|---|---|
| 2017 | 4.03 | .50 | 4.53 |
| 2018 | 3.97 | -0.56 | 3.41 |
| 2019 | 3.51 | 0.25 | 3.76 |
| 2020 | 2.88 | 3.59 | 6.47 |
| 2021 | 2.16 | 2.98 | 5.14 |
Why are Exploits and Zero-Day Vulnerabilities So Unpredictable?
Ideal patch management entails that security teams remediate vulnerabilities as soon as a fix becomes available. Unfortunately, this does not always happen as vulnerabilities are often exploited well after their initial disclosure or patch release—Log4Shell being a prime example.
The rising number of zero-day vulnerabilities also impacts patch cycles, complicating the timing between vulnerability disclosure to exploitation attempts. Some zero-day vulnerabilities have extensive samples and technical details made public, such as CVE-2022-30190, which will likely see ongoing exploitation going forward. In contrast, zero-day vulnerabilities affecting products like Google Chrome rarely see many technical details or functional exploits, and vulnerable instances shrink very quickly, as the browser automatically updates. Therefore, threat actors may not consider it worth the effort of developing exploits because they may not have the time to do so.
Organizations will need to understand these idiosyncrasies in order to maximize their resources, else they could waste time or manpower triaging vulnerabilities that are likely not attractive to malicious actors. However, security teams will need vulnerability metadata and other technical details that often aren’t included in the public source to contextualize risk.
How Can Teams Contextualize Risk Using Vulnerability Timeline Metrics (VTEM)?
Flashpoint collects a wide range of key dates during the vulnerability disclosure process, generating proprietary Vulnerability Timeline and Exposure Metrics (VTEM) data. Using VTEM, as well as the other metadata and technical details provided by VulnDB, organizations can better understand specific vulnerabilities in addition to cost of ownership.
The global average for the interval between disclosure to exploitation across all products is three to five days—but with VTEM, security teams can see how deployed vendors compare. In addition, organizations can see exactly how long it takes vendors to patch vulnerabilities within their own products, while also seeing how long it takes for exploits to be developed, on average. Once known, business leaders can make better risk decisions:
Manage Vulnerabilities Effectively with Flashpoint
An effective vulnerability management program relies on comprehensive identification, effective prioritization, and timely remediation. These three key components all rely on organizations having the right information available to use.
Even for the best security teams, timely remediation relies on how quickly their vendors can produce solutions to identified vulnerabilities. Organizations will need to pay attention to their vendors and hold them accountable when they fall short.
Frequently Asked Questions (FAQs)
How does Flashpoint help my team patch vulnerabilities faster?
Flashpoint helps teams patch faster by providing VulnDB, which delivers vulnerability intelligence an average of two weeks faster than the National Vulnerability Database (NVD). This “head start” allows security teams to identify emerging threats and zero-days before they are widely publicized, giving organizations the critical time needed to test and deploy patches before exploitation begins.
| Feature | Flashpoint Benefit |
| Early Disclosure | Provides awareness of flaws days or weeks before public sources. |
| VTEM Data | Tracks the exact timeline from disclosure to exploit availability. |
| Analyst Support | Offers solution-focused notes to accelerate the triage process. |
What are Flashpoint Vulnerability Timeline and Exposure Metrics (VTEM)?
Vulnerability Timeline and Exposure Metrics (VTEM) are proprietary data points within Flashpoint’s vulnerability intelligence that track key milestones in a vulnerability’s lifecycle. VTEM allows users to see how long it historically takes a specific vendor to issue a patch and how quickly threat actors typically develop an exploit for that product. This context is unique to Flashpoint and helps leaders predict risk levels for their specific software stack.
- Vendor Accountability: Measures how fast vendors respond to new security flaws.
- Exploit Prediction: Identifies the average window between a leak and a functional exploit.
- Risk Mapping: Helps organizations understand their “time-to-exposure” for different assets.
Why is Flashpoint’s NVD-independent intelligence vital for remediation?
Flashpoint’s NVD-independent intelligence is vital because public databases currently miss over 33% of all known vulnerabilities, creating dangerous blind spots. Flashpoint VulnDB tracks over 100,000 non-CVE flaws, including those in third-party libraries and IoT devices. By providing a “single source of truth” that does not rely on the NVD’s slow enrichment process, Flashpoint ensures that your patching efforts cover your entire attack surface, not just the most common software.
| Intelligence Source | Vulnerability Coverage |
| NVD / CVE | Misses nearly 1/3 of all disclosed vulnerabilities. |
| Flashpoint VulnDB | Tracks 415,000+ entries, including zero-days and non-CVE flaws. |
| Speed to Publication | Flashpoint is consistently 14+ days faster than public feeds. |