While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story. Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues and more. Additionally, over one-third of the zero-day vulnerabilities exploited in the wild we’ve analyzed in 2022 are variants of earlier patched vulnerabilities, which is the result of vendors applying incomplete fixes to the original vulnerability. In a white paper we’re releasing today, we propose initiatives in response to these risks, including:
- Greater transparency from vendors and governments in vulnerability exploitation and patch adoption to help the community diagnose whether current approaches are working.
- More attention on friction points throughout the vulnerability lifecycle to ensure risks to users are being comprehensively addressed.
- Address the root cause of vulnerabilities and prioritize modern secure software development practices with the potential to close off entire avenues of attack.
- Protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them. Unfortunately, these researchers can still face legal threats when their contributions are unwelcome or misunderstood, which creates a chilling effect on beneficial research and vulnerability disclosure.