The Vulnerability Life Cycle

A vulnerability is simply a weakness in a system or application that can be

exploited to gain unauthorized access to resources and data. Typical examples of
vulnerabilities include:

The ability to access a servers physical environment

Improper input validation in a Web form, which allows an attacker to inject
code into an application
Misconfigurations that provide an unauthorized user with more privileges
than a system designer intended
Buffer overflows in which an application overruns a memory buffer and
overwrites adjacent memory

What is the Vulnerability Life Cycle? This model is a helpful framework to

understand how vulnerabilities in systems and applications become points of
entry for attackers when your risks are greatestand how to appropriately
defend yourself.

The Vulnerability Life Cycle provides a view over time of a vulnerabilitys origin
and correction and the relative risk during each stage of the cycle.
This life-cycle has the following stages:
1. The creation of the vulnerability. This is when the vulnerability is created
during the implementation of the vulnerable product.
2. The discovery of a vulnerability. The vulnerability in the product is found.
Several people could discover the vulnerability at different times. Little is
ever publicly known about this step.
3. The discovered vulnerability is disclosed. The disclosure could come from
a variety of sources, in a variety of ways. It could be announced by the
vendor or an independent researcher, or secreted away in a products
Change Log.
4. The vulnerability is corrected. This is usually done by the vendor
releasing a patch or workaround. This should lead to an overall reduction
in successful intrusions.
5. The vulnerability is publicized. This can happen in a variety of ways; for
example news reporting, publishing an advisory, worm activity; but the
end effect is that many people know about the vulnerability.
6. The exploit is scripted. This can mean that workable exploit code was
released, or instructions on how to produce one are released. In either
case, the result is that the number of attackers is greatly increased as
those with less skill (script kiddies) can now perform the attack.
7. The vulnerability becomes pass (outdated). Attackers become
disinterested in exploiting this vulnerability. This is not guaranteed to
happen with every vulnerability, and some vulnerabilities (and exploits)
are shown to have cyclical popularity.
8. The vulnerability dies. This happens when the number of possible targets
vulnerable to exploitation drops to an insignificant level.