Prioritization to Prediction, Vol. 7

Lucky number seven in the series seeks to resolve one of the industry’s oldest and most divisive debates: does the public release of exploit code before a patch helps or harm defenders?. By formally testing three hypotheses with hard evidence, the report moves past speculation to reach well-justified conclusions. We analyze 6 billion vulnerabilities to determine which software products and disclosure practices offer the greatest advantage to those trying to secure their networks.

The conclusion is a sobering “ugly fact” for advocates of irresponsible disclosure: releasing exploits before patches harms defenders. The timeline of exploitation shifts an average of 98 days earlier when exploits predate patches, and the practice fails to lead to earlier remediation or faster signature deployment. This report rewards the click by showing that exploit code acts as a force multiplier for attackers, mounting nearly 15 times the overall exploitation activity of vulnerabilities without public code.

The report also provides a unique measurement of “remediability” by vendor. Organizations remediate Google and Microsoft vulnerabilities in roughly 22 days, while it takes over 900 days to reach that same milestone for Linux or SAP. This study serves as a vital benchmark for VM programs to adapt to the inherent strengths and weaknesses of their tech stack.

Key Findings

• The 98-Day Exploitation Shift: Releasing exploit code before a patch is available moves up the exploitation timeline in the wild by an average of 98 days.
• The 15X Attack Multiplier: Vulnerabilities with public exploit code rack up nearly 15 times the overall exploitation activity across six times as many organizations.
• RCE Exploit Surge: For remote code execution (RCE) vulnerabilities, the presence of public exploit code correlates with a nearly 30-fold increase in exploitation activity.
• Signature Deployment Lag: Premature exploit release actually slows down the production of detection signatures, as coordinated processes tend to move faster.
• Vendor Velocity Disparities: Organizations fix half of their vulnerabilities in 22 days for Google and Microsoft products, but take over 900 days for SAP and Linux software.
• Exploitation Stability: Attacker exploitation rates remain remarkably constant across most vendors, while remediation rates vary wildly depending on the product being patched.