Vulnerability Forecasting: In theory and practice
This work provides a method for strategic patch management by reducing uncertainty in future vulnerability disclosures for security professionals.
This paper demonstrates the ability to predict the volume of CVEs released in the NVD up to a year in advance, achieving an accuracy within 3 percent of the actual value. It also shows that proportions of this total volume can be estimated for specific vendors, software, CVSS scores, or vulnerability types.
Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values. It is also possible to estimate the proportions of that total volumn belonging to specific vendors, software, CVSS scores, or vulnerability types. Strategic patch management should become much easier, with this uncertainty reduction.