When it comes to disclosed cybersecurity vulnerabilities, there are important factors that can change over time.

The first of these factors is the ease of exploitation or Exploit Code Maturity. Initially, an exploit could be merely theoretical and Unproven. Over time, Proof of Concept code could become available for certain scenarios, and then evolve into more Functional code. Eventually, the exploit code could become widely available and even be packaged into an automated tool that facilitates use by unskilled attackers. In that scenario, or if active delivery and exploitation by an autonomous agent is discovered, the Exploit Code Maturity metric becomes High.

With a good bug disclosure and bounty program, an organization or vendor would be informed of a vulnerability and given a time window before it is made public. This gives the vendor an opportunity to create a fix, bringing us to the second Temporal metric, Remedition Level. In the best case, an Official Fix is available from the vendor allowing the vulnerability to be patched. Below that, the vendor could release an official Temporary Fix, tool or workaround. If the patch comes from the users or community, the metric is classified as an unofficial Workaround. In the worst case, a solution is Unavailable or impossible to apply.

With proprietary software, cybersecurity researchers may not have the capabilities to identify the root cause of unintended system behaviour, or they may not be certain about where exactly a vulnerability may lie. This uncertainty is measured with the Report Confidence metric. When a bug is hard to reproduce or if reports on the causes differ, the confidence will be Unknown. When proof of concept code is available and working in certain scenarios, the metric will change to Reasonable. Unless source code is public, the vendor would be required to investigate and share detailed reports on the breadth of the vulnerability, setting the status of the vulnerability as Confirmed.

Together, the Exploit Code Maturity, Remediation Level and Report Confidence are known as the Temporal metrics. It is also important to note that when there is insufficient information on any of these metrics, the value must be set as (X) or Not Defined, which is akin to the highest level of severity. With this knowledge of how exploits can evolve over time, one can see the importance of Continuous Monitoring of vulnerabilities so that the risk to an organization can be recalculated and mitigations can be prioritized before an attack occurs.

That is all for Temporal Metrics. Next in this series, we will explore how an organization must use the specifics of their environment to understand the possible impact of a known vulnerability.