Exposure of software vulnerabilities on Twitter: Analyzing vendors’ behavior of releasing software patches

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-01-23 DOI:10.1016/j.cose.2025.104354

Romilla Syed , Joti Kaur , Leiser Silva

{"title":"Exposure of software vulnerabilities on Twitter: Analyzing vendors’ behavior of releasing software patches","authors":"Romilla Syed , Joti Kaur , Leiser Silva","doi":"10.1016/j.cose.2025.104354","DOIUrl":null,"url":null,"abstract":"<div><div>Software vulnerabilities shared and discussed on social media platforms alert malicious users about the existence of vulnerabilities and increase the risk of exploits. In this study, we build a hazard model to explain the effect of social media exposure of software vulnerabilities on vendors’ behavior towards releasing patches. We collect data from multiple sources, including the United States Computer Emergency Readiness Team (US-CERT), the National Vulnerability Database, vendor websites, and Twitter. The results suggest that social media exposure, measured as retweet count, accelerates releasing the patches for immediately disclosed vulnerabilities. Patches are further expedited if the tweets discuss the root-cause or exploit details. Vulnerabilities shared by credible sources are patched faster. Additionally, vulnerability characteristics, such as a higher impact on confidentiality, integrity, or availability and a higher severity level, lead to faster patches. Finally, vulnerabilities that can be exploited remotely are patched faster. Overall, our findings illustrate that social media exposure exacerbates the pressure on vendors to release patches quickly. Thus, policymakers and discoverers can use social media as a tool to further influence vendor behavior in socially desirable ways.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104354"},"PeriodicalIF":4.8000,"publicationDate":"2025-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000434","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Software vulnerabilities shared and discussed on social media platforms alert malicious users about the existence of vulnerabilities and increase the risk of exploits. In this study, we build a hazard model to explain the effect of social media exposure of software vulnerabilities on vendors’ behavior towards releasing patches. We collect data from multiple sources, including the United States Computer Emergency Readiness Team (US-CERT), the National Vulnerability Database, vendor websites, and Twitter. The results suggest that social media exposure, measured as retweet count, accelerates releasing the patches for immediately disclosed vulnerabilities. Patches are further expedited if the tweets discuss the root-cause or exploit details. Vulnerabilities shared by credible sources are patched faster. Additionally, vulnerability characteristics, such as a higher impact on confidentiality, integrity, or availability and a higher severity level, lead to faster patches. Finally, vulnerabilities that can be exploited remotely are patched faster. Overall, our findings illustrate that social media exposure exacerbates the pressure on vendors to release patches quickly. Thus, policymakers and discoverers can use social media as a tool to further influence vendor behavior in socially desirable ways.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.