The US Offers Black Hats Zero-Day Opportunities with Lagging CVE Reporting

When it comes to software vulnerability (CVE) disclosure, the US lags China when it comes to turnaround time.

Recorded Future, which had previously uncovered unexpectedly large gaps between public disclosure of a vulnerability and its inclusion in the US National Vulnerability Database (NVD), found that on any given day, there’s more current information about software vulnerabilities on China’s National Vulnerability Database (CNNVD) than on NVD. On average, the gap between first disclosure of an issue and its availability on CNNVD is around 13 days. On NVD, the average delay is 33 days.

To arrive at the findings [PDF], Recorded Future examined how many days after initial web disclosure NVD and CNNVD waited to report the 17,940 vulnerabilities first publicly disclosed and then incorporated by both systems between September 13, 2015 and September 13, 2017 (initial web disclosure includes any mention of the vulnerability on the web).

Because averages can be dominated by a small set of vulnerabilities with long delays, Recorded Future looked at the data based on percentiles as well. Within six days of initial disclosure, 75% of all vulnerabilities published on the web are covered in CNNVD. The US NVD takes 20 days. Further, CNNVD captures 90% of all vulnerabilities within 18 days. The NVD takes 92.

There are two classes of vulnerability disclosure: Coordinated and uncoordinated. In some cases, a vendor clearly coordinates the announcement of the vulnerability, and it is simultaneously publicly disclosed and reported in NVD. In these cases, CNNVD trails NVD by a median of one day. When the vendor doesn’t tightly coordinate with NVD, it takes NVD 38 days to report on 75% of published vulnerabilities and 125 days to cover 90%. For CNNVD in these cases it takes seven days to report on 75% and 23 days to report on 90%.

As for the reason for the delays, Recorded Future explained that NVD waits for voluntary submissions of information; it reports and analyzes vulnerabilities only after they are published in MITRE’s CVE Dictionary, which relies on voluntary submissions of the vendors and CNAs associated with the vulnerabilities. If the CVE is not published in the CVE Dictionary, it’s not included in NVD nor available to companies relying on NVD for vulnerability awareness.

China on the other hand has prioritized timely disclosure by using extensive sources of vulnerability information across the web rather than relying on voluntary industry submissions—it reports all available vulnerabilities.

 “The end result is that there is no US government ‘comprehensive cybersecurity vulnerability database,’” explained the firm. “Black-hat hackers who monitor the CNNVD could benefit from its more complete collection as they are looking for new exploits to target. US security teams should have access to a similar resource.”

What’s Hot on Infosecurity Magazine?