Abstract
Knowing if/when a cyber-vulnerability will be exploited and how severe the vulnerability is can help
enterprise security officers (ESOs) come up with
appropriate patching schedules. Today, this ability is severely compromised: our study of data
from MITRE and NIST shows that on average there
is a 132 day gap between the announcement of a
vulnerability by MITRE and the time NIST provides an analysis with severity score estimates and
8 important severity attributes. Many attacks happen during this very 132-day window. We present
Vulnerability Exploit Scoring & Timing (VEST), a
system for (early) prediction and visualization of
if/when a vulnerability will be exploited, and its estimated severity attributes and score