Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Vulnerability (computer security)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Vulnerability lifecycle== [[File:Vulnerability timeline.png|thumb|Vulnerability timeline|upright=1.2]] The vulnerability lifecycle begins when vulnerabilities are introduced into hardware or software.{{sfn|Strout|2023|p=16}} Detection of vulnerabilities can be by the software vendor, or by a third party. In the latter case, it is considered most ethical to immediately disclose the vulnerability to the vendor so it can be fixed.{{sfn|Strout|2023|p=18}} Government or intelligence agencies buy vulnerabilities that have not been publicly disclosed and may use them in an attack, stockpile them, or notify the vendor.{{sfn| Libicki|Ablon|Webb|2015|p=44}} As of 2013, the [[Five Eyes]] (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran.{{sfn |Perlroth |2021 |p=145}} Organized criminal groups also buy vulnerabilities, although they typically prefer [[exploit kit]]s.{{sfn| Libicki|Ablon|Webb|2015|pp=44, 46}} Even vulnerabilities that are publicly known or patched are often exploitable for an extended period.{{sfn|Ablon|Bogart|2017|p=8}}{{sfn|Sood|Enbody|2014|p=42}} Security patches can take months to develop,{{sfn|Strout|2023|p=26}} or may never be developed.{{sfn|Sood|Enbody|2014|p=42}} A patch can have negative effects on the functionality of software{{sfn|Sood|Enbody|2014|p=42}} and users may need to [[software testing|test]] the patch to confirm functionality and compatibility.{{sfn| Libicki|Ablon|Webb|2015|p=50}} Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches.{{sfn|Sood|Enbody|2014|p=42}} Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.{{sfn| Libicki|Ablon|Webb|2015|pp=49β50}} Cybercriminals can [[reverse engineer]] the patch to find the underlying vulnerability and develop exploits,{{sfn|Strout|2023|p=28}} often faster than users install the patch.{{sfn| Libicki|Ablon|Webb|2015|pp=49β50}} Vulnerabilities become deprecated when the software or vulnerable versions fall out of use.{{sfn|Strout|2023|p=18}} This can take an extended period of time; in particular, industrial software may not be feasible to replace even if the manufacturer stops supporting it.{{sfn|Strout|2023|p=19}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)