Early disclosure of PoC code can help the cybersecurity community and push software developers to release fixes faster.
Researchers from Kenna Security teamed up with specialists from the Cyentia Institute to analyze 473 vulnerabilities discovered since 2019, the exploitation of which was recorded in real attacks.The experts warned that when PoC code for exploiting a vulnerability is published in the public domain, attackers receive 47- daily head start to achieve their goals.
For 15 months, the research team collected data on when a particular vulnerability was discovered, when the CVE identifier was reserved and received, when the patch was released, as well as information on the first case of vulnerability detection by appropriate scanners and exploitation of the vulnerability by cybercriminals. According to the study, PoC code for exploiting a vulnerability was published in the public domain in about one in four (24%) cases, and most CVE exploitation (70%) was preceded by the publication of PoC code.
“When PoC codes for exploiting vulnerabilities are released before patches, it takes longer for security teams to resolve the issue, even after the patch is released. This is an indicator that the availability of the PoC code is not a motivating factor, as some suggest, ”the experts explained.
However, early code disclosure can also help the cybersecurity community, push software developers to release patches faster, and organizations to apply patches as soon as they become available.
The good news is that responsible vulnerability disclosure processes are working reasonably well. About 60% of vulnerabilities are fixed before the official publication of CVE, and within a few days after the publication of CVE, this figure rises to 80%.
“Having a PoC code to exploit a vulnerability does not mean that attackers will use it. Thus, there are times when attackers can deploy more attacks than defenders can fix, and there are times when defenders have an advantage.” the experts noted.