Author: Charlie Osborne / Source: ZDNet
It can be days before vulnerabilities shared on the Dark Web are being published made public through the NVD and advisories, researchers have discovered.
On Wednesday, cybersecurity firm Recorded Future revealed the results of research into whether vulnerabilities are disclosed in the Dark Web — the unindexed area of the Internet which can only be reached via the Tor network — as well as security sources before they are published to the National Vulnerability Database (NVD).
According to the firm, there is an average time lag of seven days between public disclosure and official notifications which are sent to organizations and security companies, and over 75 percent of over 12,500 disclosed Common Vulnerabilities and Exposures (CVEs) included in the study were reported online before entering the database.
These sources include media, blogs, as well as the Dark Web, paste sites such as Pastebin, and underground criminal forums.
Recorded Future says the results “call into question the reliability of official disclosure channels.”
“This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy,” the company added.
The study data, taken from the beginning of 2016, also revealed that there is a time lag between vendor announcements and NVD publishing. The fastest recorded was only a day later, while the slowest was published to the NVD 172 days after.
Over 1,500 sources reported on vulnerabilities prior to release, and five percent that…
Click here to read more