The Vulnerability Hype Cycle

I’m certain this has been written about before. I believe it’s worth laying out again. This month I will have covered information security for 17 years. The vulnerability hype cycle has not changed. While I do not have all the answers, I do have confidence in our community that we will continue to work toward change. For now, here’s my tongue-in-cheek description of how so many vulnerabilities are handled today:

  1. Someone, or a team of people, spends copious amounts of time finding a software bug or a series of bugs. A small subset of those bugs ends up being vulnerabilities. An even smaller subset of those bugs ends up being exploitable.
  2. An exploit is written, and a disclosure process takes place for a random time.
  3. The vulnerability gets, potentially a name, a logo, a song, a dance, and a website.
  4. Everyone starts talking about the vulnerability, especially how bad it is. We throw around terms like “supply chain,” “vulnerability management,” “patching” and “risk” often without enough context or definition.
  5. Malicious actors begin exploiting the vulnerability to achieve their [goals] (This could happen before any of these steps, including #1).
  6. Some organizations patch the vulnerability, and some do not. Sometimes the patch works, sometimes, it does not, or additional vulnerabilities are discovered and patched (or not).
  7. Eventually, everyone forgets about the vulnerability, and X number of systems remain vulnerable forever.

Similar works: