Longitudinal Vulnerability Lifecycle Analysis

Albedah, E.; Gashi, I.; Howe, J. M.

Longitudinal Vulnerability Lifecycle Analysis

Albedah, E., Gashi, I. ORCID: 0000-0002-8017-3184 & Howe, J. M. ORCID: 0000-0001-8013-6941 (2026). Longitudinal Vulnerability Lifecycle Analysis. Paper presented at the European Dependable Computing Conference, 7-10 Apr 2026, Canterbury, UK.

Abstract

Software vulnerabilities follow lifecycles from discovery through disclosure, exploitation, and patching, with temporal dynamics between these events defining critical risk windows. Understanding these lifecycle dynamics is essential for security policy and risk management strategies. This paper provides a longitudinal analysis of 278,000+ vulnerabilities (1999–2025), extending foundational research with more than a decade of additional data and novel temporal analysis methods leveraging recent patches datasets and standardised CWE classification. Our findings reveal a paradoxical dual narrative: ecosystemwide analysis shows coordinated disclosure achieved tactical improvements, with 87.0% of patched vulnerabilities having patches available by disclosure day, whilst 80.6% of exploited vulnerabilities have exploits available. However, direct competition analysis reveals attackers win 75.8% of races, with this advantage becoming statistically significant post-2015 and accelerating to an average of +147.9 days for 2020–2024 (p < 0.0001). Temporal analysis demonstrates exploitation strategies evolved substantially: pre-disclosure exploitation rates declined from 91% to 40% for SQL Injection and 93% to 35% for Cross-Site Scripting, indicating attackers have diversified their timing strategies— contrary to the 88.2% same-day exploit dominance reported in prior work. This work establishes an updated empirical baseline for the vulnerability lifecycle, underscores the limitations of public datasets, and provides insights for informing security policies and risk management strategies.

Publication Type:	Conference or Workshop Item (Paper)
Publisher Keywords:	Vulnerability lifecycle, software security, empirical analysis, vendor response, exploitation patterns.
Subjects:	Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments:	School of Science & Technology School of Science & Technology > Department of Computer Science
SWORD Depositor:	Symplectic Administrator

Text - Accepted Version
This document is not freely accessible due to copyright restrictions.

Official URL: https://www.cs.kent.ac.uk/EDCC2026/

Export

Downloads

Downloads per month over past year

View more statistics

Metadata

CORE (COnnecting REpositories)

Actions (login required)

Admin Login

Creators:	Albedah, E. Gashi, I. ORCID: 0000-0002-8017-3184 Howe, J. M. ORCID: 0000-0001-8013-6941
Event Title:	European Dependable Computing Conference
Event Type:	Conference
Event Location:	Canterbury, UK
Event Dates:	7-10 Apr 2026
Status:	In Press
Refereed:	Yes
URI:	https://openaccess.city.ac.uk/id/eprint/36878
Date available in CRO:	20 Feb 2026 09:43
Date deposited:	18 February 2026
Dates:	Date Event 18 January 2026 Accepted