Skip to content

Vulnerability responsiveness report

As discussed in the last meeting, we'd welcome information on our reactivity, i.e. time from CVE known until fixed.

Applications:

  • Answer prospective sponsors who request such statistics, e.g. "average high-severity vulns are fixed within X days" or "on average Y% of high and critical-severity vulns are fixed within 30 days?"
  • Check if our procedures yield a satisfying level of quality (along with other metrics, such as number of regressions and number of waiting/claimed packages in dla-needed.txt)
  • Detect stalled updates for critical vulnerabilities

Pitfalls:

  • CVE creation date has no relevance to when it's made public or known to distros; it may even be batch-assigned in advance. One "start time" candidate is when the security team starts triaging the CVE; maybe NIST's publication date can be used if available and easily batch-obtainable
  • CVE may be stalled (e.g.: upstream only provides a patch months later, if ever; CVE is near-unfixable due to architectural choices or backward-compatibility issues; CVE is undermined and reporter is unreachable...); the report needs to exhibit our reactivity, not the reactivity of people upstream
  • Per-CVE history is difficult to grab from the security-tracker Git repository, due to storing all in a 20MB+ single file
  • CVE severity is not standardized; MITRE doesn't provide one, and e.g. NIST and RedHat both provide their own CVSS scores; NIST's NVD database is sync'd by the security-tracker, not sure about RedHat's
  • DSA analysis is error prone; some CVEs are fixed in stable updates without DSA; also 1 DSA may impact 2 suites, and if the affected CVE set is not common, the DSA tag may be missing in oldstable, making it harder to determine if the version was already fixed or was an update; the complete picture involves both the fixed versions and the DLA/DSAs; the "end time" timing could be correlated from tracker.debian.org
  • We should coordinate with the security team if it is interested in integrating such timing data in their infrastructure, and how
Edited by Sylvain Beucler