Skip to main content

'Dark web' is the first to know of a new vulnerability

(Image credit: Image source: Shutterstock/Sergey Nivens)

Information on the latest online vulnerabilities is being published and circulated around the web long before it ends up on the NIST's centralised National Vulnerability Database (NVD).

A new report by Recorded Future says that of 12,500 recent vulnerabilities, three quarters (75 per cent) were publicly reported before they end up on the NVD. Talking about where this information ends up, Recorded Future says it could be on news media sites, blogs and social media pages, but also on the dark web, on different criminal forums and paste sites. 

It usually takes seven days for the information on vulnerabilities to end up in the NVD, but this there have been instances where it lagged 172 days. The fastest average timing was one day.  

This discrepancy in timing can actually place companies at risk, the report concludes. 

"There has long been a belief that there is a significant time delay between the unofficial and official sources for vulnerability disclosure,” commented Christopher Ahlberg, CEO at Recorded Future. 

“This research clearly indicates that the NVD and official reporting channels aren't able to keep pace with the volume of CVEs in the wild. Organizations need to look to other sources to apply meaningful and actionable intelligence if they are to protect their organizations."

The report also states that more than 1,500 sources reported on vulnerabilities before the release. Five per cent of vulnerabilities are detailed on the dark web before being released on NVD, and these usually have higher severity levels.

On top of it all, almost a third (30 per cent) of vulnerabilities published to the dark web were not in English.

You can find Recorded Future's full report on this link (opens in new tab)

Image source: Shutterstock/Sergey Nivens

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.