Modeling the Delivery of Security Advisories and CVEs

Jukka Ruohonen1, Sami Hyrynsalmi1, 2 and Ville Leppänen1

  1. Department of Information Technology, University of Turku
    FI-20014 Turun yliopisto, Finland
    {juanruo, sthyry, ville.leppanen}
  2. Pori Department, Tampere University of Technology
    P.O. Box 300, FI-28101 Pori, Finland


This empirical paper models three structural factors that are hypothesized to affect the turnaround times between the publication of security advisories and Common Vulnerabilities and Exposures (CVEs). The three structural factors are: (i) software product age at the time of advisory release; (ii) severity of vulnerabilities coordinated; and (iii) amounts of CVEs referenced in advisories. Although all three factors are observed to provide only limited information for statistically predicting the turnaround times in a dataset comprised of Microsoft, openSUSE, and Ubuntu operating system products, the paper outlines new research directions for better understanding the current problems related to vulnerability coordination.

Key words

security patching, vulnerability life cycle, negative result

Digital Object Identifier (DOI)

Publication information

Volume 14, Issue 2 (June 2017)
Year of Publication: 2017
ISSN: 1820-0214 (Print) 2406-1018 (Online)
Publisher: ComSIS Consortium

Full text

DownloadAvailable in PDF
Portable Document Format

How to cite

Ruohonen, J., Hyrynsalmi, S., Leppänen, V.: Modeling the Delivery of Security Advisories and CVEs. Computer Science and Information Systems, Vol. 14, No. 2, 537–555. (2017),