The Secret Life of CVEs
Piotr Przymus, Mikołaj Fejzer, Jakub Narębski, Krzysztof Stencel
TL;DR
This study models CVE lifetime as a time-to-event problem using survival analysis to quantify how long vulnerabilities remain unresolved within software projects. By combining World of Code commits with CVE data, it defines lifetimes, applies Kaplan-Meier estimation and Sommers' D to assess language, CVE, and project risk factors, and analyzes a large cohort of CVE–project pairs. Key findings include a median fix time of 34 days, strong influence of memory model and access-vector features on CVE survival, and pronounced effects of project activity and team size on resolution timing. The work provides a scalable, data-driven view of vulnerability remediation dynamics and identifies concrete avenues for future research, including deeper language and embargo analyses.
Abstract
The Common Vulnerabilities and Exposures (CVEs) system is a reference method for documenting publicly known information security weaknesses and exposures. This paper presents a study of the lifetime of CVEs in software projects and the risk factors affecting their existence. The study uses survival analysis to examine how features of programming languages, projects, and CVEs themselves impact the lifetime of CVEs. We suggest avenues for future research to investigate the effect of various factors on the resolution of vulnerabilities.