Software Engineering Institute

Measuring Vulnerability Response (VR) solely by VM metrics underserves defenders, due to inadequate disclosure practices upstream. This inadequacy highlights a deeper problem: while many defenders are familiar with VM practices, they do not recognize the importance of the Coordinated Vulnerability Disclosure (CVD) process that feeds into it.This work developed models, metrics, datasets, and key performance indicators for VR practices that account for CVD as well as VM.