It can be days before vulnerabilities shared on the Dark Web are being published made public through the NVD and advisories, researchers have discovered.
On Wednesday, cybersecurity firm Recorded Future revealed the results of research into whether vulnerabilities are disclosed in the Dark Web -- the unindexed area of the Internet which can only be reached via the Tor network -- as well as security sources before they are published to the National Vulnerability Database (NVD).
According to the firm, there is an average time lag of seven days between public disclosure and official notifications which are sent to organizations and security companies, and over 75 percent of over 12,500 disclosed Common Vulnerabilities and Exposures (CVEs) included in the study were reported online before entering the database.
These sources include media, blogs, as well as the Dark Web, paste sites such as Pastebin, and underground criminal forums.
Recorded Future said the results "call into question the reliability of official disclosure channels."
"This disparity between the unofficial and official communication of CVEs is placing a greater onus on CISOs and security teams, leaving them unknowingly open to potential exploits and unable to make strategic and informed decisions on their security strategy," the company added.
The study data, taken from the beginning of 2016, also revealed that there is a time lag between vendor announcements and NVD publishing. The fastest recorded was only a day later, while the slowest was published to the NVD 172 days after.
Over 1,500 sources reported on vulnerabilities prior to release, and 5 percent that was spotted on the Dark Web prior to public disclosure have high severity levels. In addition, 30 percent of bugs found in the underground were published in foreign languages.
In the case of the Dirty Cow vulnerability, the proof-of-concept (POC) was posted to Pastebin 15 days before NVD publication.
Read also: Insider trading takes the Dark Web by storm
Christopher Ahlberg, CEO at Recorded Future, said the results were hardly a surprise. According to the executive, there has been a "long belief" in a time delay between official and unofficial sources for vulnerability disclosure, and now studies have confirmed this, it is even more critical than ever that companies use a multi-pronged approach to intelligence and security.
The security firm suggests that rather than hitting the panic button when a particularly nasty vulnerability is made public, companies should adopt a "proactive and risk-based approach," including assessing risk, using applied intelligence from multiple sources, and focusing on the CVEs that have the highest risk of being exploited, enterprise players will have more of a chance to distance themselves from the next security disaster on the horizon.
As we saw with WannaCry, old and known vulnerabilities can still have enough impact to send critical services and businesses across the globe into chaos. Legacy systems are an issue and a constant safety risk once support ends, but it is also where security is placed in terms of priority which can determine the consequence of both known and unknown bugs being leveraged against organizations and companies.
Read also: Leaked NSA hacking exploit used in WannaCry ransomware is now powering Trojan malware
"These findings demonstrate the need for organizations to look beyond the official channels of vulnerability disclosure, such as the NVD, and take a proactive view of vulnerability management that focuses on risk," said Bill Ladd, chief data scientist at Recorded Future. "Security teams can no longer do vulnerability management by numbers."
"By accessing, aggregating, and applying the available intelligence from a wealth of additional sources, including the dark web, social media, news outlets, and forums, organizations will have a better understanding of their risk and can make informed, strategic decisions that positively impact the business," Ladd added.
This week, researchers revealed how Instagram is being used by scam artists to lure individuals into taking part in a fraudulent scheme that has cost banks at least $50,000.