Putting private and government CERT’s to the test

To be able to take notice of new vulnerabilities, business an d enterprizes need accurate and validated information from a trusted source. CERT’s and private sector service offering s provide such information through the publication of vulner ability advisories. The quality, quantity, and disclosure time of such advisories varies considerably between sources. By monitoring relevant security sites on 30-minute intervals for more than 18 months, we collected a unique dataset to compare CERT’s and private offerings. In addition, we also collected data from well known exploit sites. As an independent research institute, we present an unbiased analysis of the performance of CERT’s and security information providers from the private sector. We show the evolution of the number of disclosures, number of reference s to CVE, the risk metrics used, and the timeliness of publication over the year, day of week and time of day. Correlating the advisories based on the CVE as a unique vulnerability identifier allows us to compare the advisory provider s against each other. Further, we compare the advisory data with the rate of exploit publications. We find differences be tween the advisory providers and offer an interpretation. W e revisit the vulnerability lifecycle with respect to our find i gs and examine their impact in the context of the full disclosure debate. We conclude that having multiple independent advisory providers is very important to the security societ y. Collectively, they serve as an efficient watchdog monitorin g the (in)security scene, providing thread information in a u sable format for businesses.