Information on the latest online vulnerabilities is being published and circulated around the web long before it ends up on the NIST's centralised National Vulnerability Database (NVD).
A new report by Recorded Future says that of 12,500 recent vulnerabilities, three quarters (75 per cent) were publicly reported before they end up on the NVD. Talking about where this information ends up, Recorded Future says it could be on news media sites, blogs and social media pages, but also on the dark web, on different criminal forums and paste sites.
It usually takes seven days for the information on vulnerabilities to end up in the NVD, but this there have been instances where it lagged 172 days. The fastest average timing was one day.
This discrepancy in timing can actually place companies at risk, the report concludes.
"There has long been a belief that there is a significant time delay between the unofficial and official sources for vulnerability disclosure,” commented Christopher Ahlberg, CEO at Recorded Future.
“This research clearly indicates that the NVD and official reporting channels aren't able to keep pace with the volume of CVEs in the wild. Organizations need to look to other sources to apply meaningful and actionable intelligence if they are to protect their organizations."
The report also states that more than 1,500 sources reported on vulnerabilities before the release. Five per cent of vulnerabilities are detailed on the dark web before being released on NVD, and these usually have higher severity levels.
On top of it all, almost a third (30 per cent) of vulnerabilities published to the dark web were not in English.
You can find Recorded Future's full report on this link.
Image source: Shutterstock/Sergey Nivens