A leading cybersecurity firm has claimed that only around a quarter of the vulnerabilities found and reported to vendors by its researchers get resolved.
NCC Group analyzed nine years of vulnerabilities discovered by its team and found that only 26%, or 289, were classed as “closed,” meaning they were fixed or dismissed once the risk was accepted by the vendor.
Unsurprisingly, those classed as low risk took longest for vendors to fix, at an average of 96 days. Medium-risk and then critical vulnerabilities followed, taking 77 days and 74 days respectively.
NCC Group complained that too often vendors lack a clear point of contact for researchers to communicate with when they find a flaw, lengthening the delay. Sometimes out of desperation, researchers are even forced to contact the vendor’s social media team in order to find a secure communication channel, it added.
NCC Group research director, Matt Lewis, bemoaned the lack of established processes for vulnerability remediation and disclosure. Just 2.4% of the vulnerabilities found by his team and reported resulted in a CVE.
“There also seems to be a false sense of security among businesses when it comes to low-risk vulnerabilities. These are vulnerabilities nonetheless, and we’re seeing an increase in bug chaining attacks, which exploit multiple low-risk issues across infrastructure to achieve full, unauthorized control of the underlying system,” he added.
“The fact that the majority of vulnerabilities uncovered by our researchers over the past nine years have not been fixed demonstrates that there are likely far more zero-day vulnerabilities in existence than we might think.”
Research from Flexera earlier this year revealed discovered vulnerabilities hit an all-time-high in 2017 of over 20,000.
Separate research from Fortinet last year claimed that hackers are increasingly crafting exploits around old vulnerabilities, knowing that firms may leave them unpatched. It found that in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old.
The WannaCry ransomware campaign of May 2017 highlighted just how many organizations fail to patch even critical bugs promptly.