I am currently analyzing the delay between vulnerability disclosure (CVE
release) and the release of a corresponding patch.
Firstly, i noticed that some vulnerabilities are patched before the CVE
was assigned. How is that possible? Was the vulnerability "accitendally"
fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22)
Yes, the vulnerability was not recognized as such. The CVE is then
typically assigned when a Linux distribution decides to backport the fix.
Second, does someone know why some vulnerabilities get a fix on CVE
release day while some only recieve a fix after weeks or even month?
(Maximum delay I observed is 183 days)
There could be many reasons. For example the problem could be very
minor, the patches could have problems, or a second patch was needed
because the first fix was insufficient so. It's difficult to say
without seeing the CVE and patch for the 183-day record.
The delay belongs to CVE-2013-4587. According to NVD the patch (a git
commit) was submitted on 2013-12-12 while the CVE number was assigned on
2013-06-12.
But since i have some cases in my dataset that show similar (~80% of
identified vulnerabilities are fixed within 100 days) behaviour i am
more interested in the general info you already provided.
Stefan
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
