pith. sign in

arxiv: 2604.20765 · v1 · submitted 2026-04-22 · 💻 cs.CR

CVEs With a CVSS Score Greater Than or Equal to 9

Lena Sinterhauf , Andreas A{\ss}muth , Roland Kaltefleiter This is my paper

Pith reviewed 2026-05-10 00:32 UTC · model grok-4.3

classification 💻 cs.CR
keywords critical vulnerabilitiesCVSSCVEvulnerability disclosurepatch deploymentremediation timelinescybersecurityvulnerability management
0
0 comments X

The pith

Critical vulnerabilities show significant delays in both public disclosure and patch deployment due to organizational factors.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper measures the time from identification to public disclosure and then to actual patching for vulnerabilities rated 9.0 or higher on the CVSS scale. It combines records from 245,456 CVEs spanning 2009 to 2024 with case studies of specific incidents to reveal consistent patterns of delay. The work finds that disclosure has quickened in recent years but remediation times remain extended because of differences across industries, limits on available resources, and routine organizational procedures. These lags matter because they leave systems open to severe attacks that can produce lasting economic and reputational costs. The authors close by listing concrete steps organizations could take to shorten response cycles.

Core claim

The paper establishes that critical vulnerabilities experience notable lags both in becoming publicly known and in receiving deployed fixes, with these timelines shaped by industry context, resource levels, and internal company processes. Even with faster disclosure, the interval until remediation closes remains a widespread problem rooted in organizational resistance to change and the inherent complexity of the affected systems. The claim rests on quantitative patterns extracted from the full CVE dataset together with qualitative details from notable incidents.

What carries the argument

Mixed-methods tracking of disclosure dates and patch deployment dates for CVSS >=9 CVEs, drawn from 245,456 database records and supported by qualitative incident case studies.

If this is right

  • Remediation of critical vulnerabilities lags behind disclosure and is shaped by non-technical factors.
  • Industry-specific conditions and resource constraints lengthen the time to deploy patches.
  • Organizational inertia and system complexity sustain a remediation gap that exposes systems to risk.
  • Targeted process improvements can reduce delays in responding to critical vulnerabilities.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Focusing security metrics on actual patch deployment rather than disclosure dates alone would give a clearer picture of remaining exposure.
  • The same delay patterns may exist for lower-severity vulnerabilities if examined with comparable methods.
  • Cross-sector comparisons of remediation practices could identify transferable ways to reduce organizational resistance.
  • Automated deployment tools offer one route to lessen the impact of system complexity on fix times.

Load-bearing premise

The chosen CVE records and case studies accurately represent real-world identification and remediation timelines without systematic biases in reporting or incident selection.

What would settle it

A fresh dataset of critical CVEs in which average patch deployment times have shortened to match disclosure times across industries, without changes in organizational processes, would undermine the claim of a persistent systemic remediation gap.

Figures

Figures reproduced from arXiv: 2604.20765 by Andreas A{\ss}muth, Lena Sinterhauf, Roland Kaltefleiter.

Figure 3
Figure 3. Figure 3: Average time from CVE reservation to public disclosure [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: Annual distribution of CVE publications (2009–2024). Orange bars [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Cumulative distribution of time to patch availability (2009–2024). [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Median time to patch availability by sector (2009 to 2024). Sectors are sorted by overall patch performance (all CVEs). Orange bars represent all [PITH_FULL_IMAGE:figures/full_fig_p005_6.png] view at source ↗
read the original abstract

Critical vulnerabilities with Common Vulnerability Scoring System scores of 9.0 or higher pose severe risks to organisations' information systems. Timely detection and remediation are essential to minimise economic and reputational damage from cyberattacks. This paper provides a thorough analysis of the identification and resolution timelines of such critical vulnerabilities. A mixed-methods approach is employed, integrating quantitative data from global vulnerability databases analysing 245,456 Common Vulnerabilities and Exposures records spanning from 2009 to 2024, of which 12.8 % were critical, with qualitative case studies of notable incidents. This methodical combination of quantitative and qualitative data sources enables the identification of patterns and delay factors in vulnerability management. The findings indicate significant delays in public disclosure and patch deployment, influenced by industry-specific factors, resource availability and organisational processes. The paper concludes with a series of actionable recommendations to improve the efficiency of vulnerability responses. Despite faster disclosure, the remediation gap for critical vulnerabilities remains a systemic risk, driven by organisational inertia and system complexity.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript analyzes identification and remediation timelines for critical vulnerabilities (CVSS score >=9) via a mixed-methods study of 245,456 CVE records (2009-2024, 12.8% critical) drawn from global databases, paired with qualitative case studies of notable incidents. It reports significant delays in public disclosure and patch deployment driven by industry-specific factors, resource constraints, and organizational processes; concludes that a remediation gap persists as a systemic risk despite faster disclosure; and offers actionable recommendations for improved vulnerability response.

Significance. If the timeline findings prove robust after methodological refinement, the work would usefully document patterns in critical-vulnerability handling at scale and could inform organizational and policy interventions in cybersecurity. The dataset volume and mixed-methods framing are positive features, though the absence of detailed statistical validation or bias diagnostics reduces the potential contribution relative to more rigorously instrumented empirical studies in the field.

major comments (2)
  1. [Methods / Quantitative Analysis] Methods / Quantitative Analysis: The headline claims of 'significant delays in public disclosure and patch deployment' and a persistent 'remediation gap' as 'systemic risk' rest on treating NVD/CVE fields (published date, last-modified date, CVSS assignment) as direct proxies for discovery and per-organization patch-deployment timelines. These fields do not record standardized external discovery dates or actual deployment dates, so measurement error from vendor-coordinated disclosure and system-complexity effects is likely; without validation, bias diagnostics, or sensitivity checks, the quantified delay magnitudes and causal attributions to organizational inertia cannot be considered reliable.
  2. [Case Studies] Case Studies section: The sampling frame, selection criteria, and bias-mitigation steps for the 'notable incidents' used in the qualitative component are not described. Absent an explicit protocol, the identified delay factors (industry, resources, processes) risk being driven by unrepresentative or post-hoc chosen examples rather than systematic evidence.
minor comments (2)
  1. [Abstract] Abstract: The description of the 'mixed-methods approach' and 'statistical methods' is too high-level; readers cannot assess how quantitative patterns were derived or how qualitative insights were integrated with the database queries.
  2. [Results] Results: No tables or figures report basic diagnostics (e.g., distribution of timeline gaps, confidence intervals, or sensitivity to date-field choice), which would strengthen the quantitative claims.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for their constructive and detailed feedback on our manuscript. We address each major comment below, providing clarifications on our approach and indicating where revisions will strengthen the work.

read point-by-point responses

  1. Referee: [Methods / Quantitative Analysis] Methods / Quantitative Analysis: The headline claims of 'significant delays in public disclosure and patch deployment' and a persistent 'remediation gap' as 'systemic risk' rest on treating NVD/CVE fields (published date, last-modified date, CVSS assignment) as direct proxies for discovery and per-organization patch-deployment timelines. These fields do not record standardized external discovery dates or actual deployment dates, so measurement error from vendor-coordinated disclosure and system-complexity effects is likely; without validation, bias diagnostics, or sensitivity checks, the quantified delay magnitudes and causal attributions to organizational inertia cannot be considered reliable.

    Authors: We acknowledge that the NVD published date functions as a proxy for public disclosure timing rather than the precise moment of initial discovery, and that the last-modified date reflects CVE record updates rather than actual per-organization patch deployment. These fields represent the most scalable and standardized data available for analyzing over 245,000 records. Our quantitative analysis follows established practices in the CVE literature for large-scale timeline studies. To improve transparency and robustness, we will add a dedicated Limitations subsection that explicitly discusses these proxy measures, their potential measurement error, and references to prior work using similar approaches. We will also incorporate sensitivity checks comparing results across alternative date fields and subsets where supplementary vendor advisory data is available. These additions will qualify the delay magnitudes and attributions without changing the core empirical patterns observed. revision: partial

  2. Referee: [Case Studies] Case Studies section: The sampling frame, selection criteria, and bias-mitigation steps for the 'notable incidents' used in the qualitative component are not described. Absent an explicit protocol, the identified delay factors (industry, resources, processes) risk being driven by unrepresentative or post-hoc chosen examples rather than systematic evidence.

    Authors: We agree that the original manuscript did not provide sufficient detail on the qualitative case selection process. The notable incidents were drawn from publicly documented high-impact critical vulnerabilities (CVSS >=9) with available post-incident timeline information from authoritative sources such as CISA alerts, vendor security bulletins, and independent security reports. In revision, we will expand the Methods section to include an explicit protocol: the sampling frame consists of critical CVEs from 2009-2024 with publicly available remediation timeline data; selection criteria emphasize impact, data completeness, and representation across industries and vulnerability types; and bias mitigation includes deliberate inclusion of both delayed and relatively timely cases plus cross-verification against multiple independent sources. This will allow readers to assess the systematic basis for the identified delay factors. revision: yes

standing simulated objections not resolved
  • Direct per-organization patch deployment dates are not recorded in public CVE or NVD databases and would require access to proprietary internal data from individual organizations, which is not feasible at the scale of 245,000 records analyzed in this study.

Circularity Check

0 steps flagged

No circularity: empirical observational study with direct data extraction

full rationale

The paper is a mixed-methods empirical analysis of 245,456 CVE records (12.8% critical) plus selected case studies. It contains no equations, derivations, fitted parameters, ansatzes, or self-citations that reduce any claim to its own inputs by construction. Timelines are extracted from standard NVD fields and incident descriptions; conclusions follow directly from those queries without self-referential loops or renaming of known results. This is the most common honest non-finding for database-driven observational work.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claims rest on the assumption that public CVE databases provide unbiased timelines and that selected case studies are representative; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption Global vulnerability databases contain complete and accurate disclosure and remediation dates for all critical CVEs.
    Invoked when treating the 245,456 records as the basis for identifying patterns and delay factors.
  • domain assumption Qualitative case studies of notable incidents can be generalized to explain quantitative delay patterns.
    Used to link database statistics to organizational and industry influences.

pith-pipeline@v0.9.0 · 5477 in / 1223 out tokens · 21573 ms · 2026-05-10T00:32:33.597894+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 29 canonical work pages

  1. [1]

    Frequently asked questions (faqs) - what is cve?

    MITRE Corporation, “Frequently asked questions (faqs) - what is cve?”, Accessed: 2026-03-14. [Online]. Available: https: //www.cve.org/ResourcesSupport/FAQs

    work page 2026

  2. [2]

    Vul- nerability metrics

    National Institute of Standards and Technology (NIST), “Vul- nerability metrics”, Accessed: 2026-03-14. [Online]. Available: https://nvd.nist.gov/vuln-metrics/cvss#

    work page 2026

  3. [3]

    Cost of a data breach report 2024

    Ponemon Institute, “Cost of a data breach report 2024”, 2024, Accessed: 2026-03-14. [Online]. Available: https://table.media/ wp - content / uploads / 2024 / 07 / 30132828 / Cost - of - a - Data - Breach-Report-2024.pdf

    work page 2024

  4. [4]

    The state of it security in germany in 2023 (original title in german: Die Lage der IT-Sicherheit in Deutschland 2023)

    Bundesamt für Sicherheit in der Informationstechnik, “The state of it security in germany in 2023 (original title in german: Die Lage der IT-Sicherheit in Deutschland 2023)”, 2023, Accessed: 2026-03-14. [Online]. Available: https://www.bsi.bund.de/ SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/ Lagebericht2023.pdf

    work page 2023

  5. [5]

    CVE- 2021-44228 detail

    National Institute of Standards and Technology (NIST), “CVE- 2021-44228 detail”, Accessed: 2026-03-14. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

    work page 2021

  6. [6]

    Critical vulnerability published in log4j (cve-2021-44228) (original title in german: Kritische Schwachstelle in log4j veröffent- licht (CVE-2021-44228))

    Bundesamt für Sicherheit in der Informationstechnik, “Critical vulnerability published in log4j (cve-2021-44228) (original title in german: Kritische Schwachstelle in log4j veröffent- licht (CVE-2021-44228))”, Accessed: 2026-03-14. [Online]. Available: https : / / www . bsi . bund . de / SharedDocs / Cybersicherheitswarnungen / DE / 2021 / 2021 - 549032 -...

    work page 2021

  7. [7]

    Log4j2 vulnerability

    CrowdStrike Intelligence Team, “Log4j2 vulnerability "log4shell" (CVE-2021-44228)”, 2021, Accessed: 2026-03-14. [Online]. Available: https : / / www . crowdstrike . com / en - us / blog / log4j2 - vulnerability - analysis - and - mitigation - recommendations/

    work page 2021

  8. [8]

    Common vulnerability scoring system v4.0 – user guide

    Forum of Incident Response and Security Teams (FIRST), “Common vulnerability scoring system v4.0 – user guide”, Accessed: 2026-03-14. [Online]. Available: https://www.first. org/cvss/v4.0/user-guide

    work page 2026

  9. [9]

    OPS.1.1.3: Patch and change management (original title in german: OPS.1.1.3: Patch- und Änderungsmanagement)

    Bundesamt für Sicherheit in der Informationstechnik (BSI), “OPS.1.1.3: Patch and change management (original title in german: OPS.1.1.3: Patch- und Änderungsmanagement)”, 2021, Accessed: 2026-03-14. [Online]. Available: https://www.bsi. bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-GS- Kompendium_Einzel_PDFs_2021/04_OPS_Betrieb/OPS_1_ 1_3_Patch_und_A...

    work page 2021

  10. [10]

    Practical patch management and mitigation

    S. Alexiou, “Practical patch management and mitigation”, ISACA Journal, vol. 2019, no. 3, pp. 1–6, 2019. Accessed: 2026-03-14. [Online]. Available: https : / / www . isaca . org / resources / isaca - journal / issues / 2019 / volume - 3 / practical - patch-management-and-mitigation

    work page 2019

  11. [11]

    Guide to enterprise patch management planning: Preventive maintenance for technology

    M. Souppaya and K. Scarfone, “Guide to enterprise patch management planning: Preventive maintenance for technology”, National Institute of Standards and Technology (NIST), Tech. Rep. NIST SP 800-40 Rev. 4, 2022. Accessed: 2026-03-

    work page 2022

  12. [12]

    Available: https : / / nvlpubs

    [Online]. Available: https : / / nvlpubs . nist . gov / nistpubs / SpecialPublications/NIST.SP.800-40r4.pdf4

    work page

  13. [13]

    To patch or not to patch: Motivations, challenges, and implications for cybersecurity

    J. R. C. Nurse, “To patch or not to patch: Motivations, challenges, and implications for cybersecurity”, 2025, Accessed: 2026-03-14. [Online]. Available: https://arxiv.org/pdf/2502. 17703

    work page 2025

  14. [14]

    The secret life of cves

    P. Przymus, M. Fejzer, J. Nar˛ ebsk and K. Stencel, “The secret life of cves”,arXiv preprint, 2025. Accessed: 2026-03-14. [Online]. Available: https://arxiv.org/pdf/2504.03863

    work page arXiv 2025

  15. [15]

    Out of sight, still at risk: The lifecycle of transitive vulnerabilities in maven

    P. Przymus, M. Fejzer, J. Nar˛ ebsk, K. Rykaczewski and K. Stencel, “Out of sight, still at risk: The lifecycle of transitive vulnerabilities in maven”,arXiv preprint, 2025. Accessed: 2026- 03-14. [Online]. Available: https://arxiv.org/pdf/2504.04803

    work page arXiv 2025

  16. [16]

    NVD data feeds - JSON 2.0 feeds

    National Institute of Standards and Technology (NIST), “NVD data feeds - JSON 2.0 feeds”, 28th May 2025, Accessed: 2026- 03-14. [Online]. Available: https://nvd.nist.gov/vuln/data-feeds

    work page 2025

  17. [17]

    CVE list downloads

    MITRE Corporation, “CVE list downloads”, 20th May 2025, Accessed: 2026-03-14. [Online]. Available: https://www.cve. org/Downloads

    work page 2025

  18. [18]

    CVE- 2014-0160 detail

    National Institute of Standards and Technology (NIST), “CVE- 2014-0160 detail”, 2014, Accessed: 2026-03-14. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2014-0160

    work page 2014

  19. [19]

    CVE- 2017-0144 detail

    National Institute of Standards and Technology (NIST), “CVE- 2017-0144 detail”, 2017, Accessed: 2026-03-14. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2017-0144

    work page 2017

  20. [20]

    CVE numbering authority (cna) opera- tional rules

    MITRE Corporation, “CVE numbering authority (cna) opera- tional rules”, Accessed: 2026-03-14. [Online]. Available: https: //www.cve.org/ResourcesSupport/AllResources/CNARules

    work page 2026

  21. [21]

    List of partners

    MITRE Corporation, “List of partners”, https://www.cve.org/ PartnerInformation/ListofPartners, Accessed: 2026-03-14

    work page 2026

  22. [22]

    Glossary - cve record

    MITRE Corporation, “Glossary - cve record”, https://www. cve.org/ResourcesSupport/Glossary#glossaryRecord, Accessed: 2026-03-14

    work page 2026

  23. [23]

    MITRE Corporation, “Process”, https://www.cve.org/About/ Process, Accessed: 2026-03-14

    work page 2026

  24. [24]

    CVEs and the NVD process

    National Institute of Standards and Technology (NIST), “CVEs and the NVD process”, 2024, Accessed: 2026-03-14. [Online]. Available: https://nvd.nist.gov/general/cve-process

    work page 2024

  25. [25]

    Bsi guideline on the coordinated vulnerability disclosure (cvd) process (original title in german: Leitlinie des BSI zum Coordinated Vulnerability Disclosure (CVD)-Prozess)

    Bundesamt für Sicherheit in der Informationstechnik (BSI), “Bsi guideline on the coordinated vulnerability disclosure (cvd) process (original title in german: Leitlinie des BSI zum Coordinated Vulnerability Disclosure (CVD)-Prozess)”, 2022, Accessed: 2026-03-14. [Online]. Available: https://www.bsi. bund.de/SharedDocs/Downloads/DE/BSI/CVD/CVD-Leitlinie. p...

    work page 2022

  26. [26]

    [Online]

    Bundesamt für Sicherheit in der Informationstechnik (BSI), “Study on the effectiveness of it security laws among operators of critical infrastructures (original title in german: Untersuchung zur Wirksamkeit der IT-Sicherheitsgesetze unter Betreibern Krit- ischer Infrastrukturen)”, 2023, Accessed: 2026-03-14. [Online]. Available: https://www.bsi.bund.de/Sh...

    work page 2023

  27. [27]

    Global cybersecurity outlook 2022

    World Economic Forum, “Global cybersecurity outlook 2022”, 2025, Accessed: 2026-03-14. [Online]. Available: https://reports. weforum.org/docs/WEF_Global_Cybersecurity_Outlook_ 2025.pdf

    work page 2022

  28. [28]

    CVE® 25 years - 25th anniversary report october 2024

    MITRE Corporation, “CVE® 25 years - 25th anniversary report october 2024”, https://www.cve.org/Resources/Media/ Cve25YearsAnniversaryReport.pdf, 2024, Accessed: 2026-03- 14

    work page 2024

  29. [29]

    Exploit prediction scoring system (epss) - frequently asked questions

    Forum of Incident Response and Security Teams (FIRST), “Exploit prediction scoring system (epss) - frequently asked questions”, Accessed: 2026-03-14. [Online]. Available: https: //www.first.org/epss/faq

    work page 2026