CVEs With a CVSS Score Greater Than or Equal to 9

TL;DR

This study analyzes the timelines and delays in identifying, disclosing, and patching critical CVEs with scores of 9.0 or higher, highlighting systemic risks and proposing improvements.

Contribution

It combines quantitative data analysis of over 245,000 vulnerabilities with qualitative case studies to identify delay factors in critical vulnerability management.

Findings

Significant delays exist in public disclosure and patch deployment.

Industry-specific factors and organizational resources influence delay durations.

Faster disclosure has not fully closed the remediation gap for critical vulnerabilities.

Abstract

Critical vulnerabilities with Common Vulnerability Scoring System scores of 9.0 or higher pose severe risks to organisations' information systems. Timely detection and remediation are essential to minimise economic and reputational damage from cyberattacks. This paper provides a thorough analysis of the identification and resolution timelines of such critical vulnerabilities. A mixed-methods approach is employed, integrating quantitative data from global vulnerability databases analysing 245,456 Common Vulnerabilities and Exposures records spanning from 2009 to 2024, of which 12.8 % were critical, with qualitative case studies of notable incidents. This methodical combination of quantitative and qualitative data sources enables the identification of patterns and delay factors in vulnerability management. The findings indicate significant delays in public disclosure and patch deployment, influenced by industry-specific factors, resource availability and organisational processes. The paper concludes with a series of actionable recommendations to improve the efficiency of vulnerability responses. Despite faster disclosure, the remediation gap for critical vulnerabilities remains a systemic risk, driven by organisational inertia and system complexity.