[Research] Correlation of Patch Delivery Delay and Access Complexity

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Research] Correlation of Patch Delivery Delay and Access Complexity

Stefan Geißler
Hello all,

In context of my analysis of the delay between vulnerability disclosure
(CVE release) and the release of a corresponding patch I am also
analyzing the relation between the delay and various vulnerability
characteristics.

The attached figure shows the relation between Access Complexity as used
by NVD and defined in CVSS. The Y-Axis shows the average delay for each
category (Low, Medium, High). The numbers on top of the bars show the
number of vulnerabilities in the respective category.

I was hoping, that someone is able to help me explain the relation that
can be seen in the figure. Why would a higher Access Complexity lead to
longer patching delay? Or is the relation maybe just random and there is
no actual connection between the two metrics?

Stefan

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xen.org/xen-users

PatchingDelay_Xen.png (29K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Research] Correlation of Patch Delivery Delay and Access Complexity

George Dunlap
On Sat, Sep 26, 2015 at 10:29 AM, Stefan Geißler
<[hidden email]> wrote:

> Hello all,
>
> In context of my analysis of the delay between vulnerability disclosure (CVE
> release) and the release of a corresponding patch I am also analyzing the
> relation between the delay and various vulnerability characteristics.
>
> The attached figure shows the relation between Access Complexity as used by
> NVD and defined in CVSS. The Y-Axis shows the average delay for each
> category (Low, Medium, High). The numbers on top of the bars show the number
> of vulnerabilities in the respective category.
>
> I was hoping, that someone is able to help me explain the relation that can
> be seen in the figure. Why would a higher Access Complexity lead to longer
> patching delay? Or is the relation maybe just random and there is no actual
> connection between the two metrics?

First of all, since this question is presumably addressed to the Xen
developers, it would probably better be asked on xen-devel.

But to get you a better response there:

I don't really have a very clear idea what you're actually measuring
here.  What exactly is the "CVE release" date?  And what do you count
as "release of a corresponding patch"?

You also use a lot of acronyms (NVD, CVSS) without defining what they
mean or giving any references to them.

Finally, you ask about your graph, but you haven't given us any
information about the data that's fed into the graph.  Which XSAs are
you talking about?  Which ones fall into which category?  That would
be much more useful in helping people answer this kind of question.

 -George

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xen.org/xen-users