Hello all,
In context of my analysis of the delay between vulnerability disclosure
(CVE release) and the release of a corresponding patch I am also
analyzing the relation between the delay and various vulnerability
characteristics.
The attached figure shows the relation between Access Complexity as used
by NVD and defined in CVSS. The Y-Axis shows the average delay for each
category (Low, Medium, High). The numbers on top of the bars show the
number of vulnerabilities in the respective category.
I was hoping, that someone is able to help me explain the relation that
can be seen in the figure. Why would a higher Access Complexity lead to
shorter patching delay? Or is the relation maybe just random and there
is no actual connection between the two metrics?
Stefan
