User Story: The Hidden Harm of Silent Patches #18
Description
In the form of: "As a role performing task, I struggle with problem because reason."
As a CVE Consumer performing vulnerability management, I struggle to discover (become aware of) and manage vulnerabilities because my Suppliers patch them without informing me or providing the information I need at the time the patches are released.
I'm not sure what the rationale for this behavior is, and I'm not sure the CVE Program needs to know or care, although of course understanding the problem or motiviation is helpful in developing a good solution. Maybe Suppliers don't want the shame or stigma of having CVE IDs published about their software. Maybe Suppliers believe that silent patching reduces risk to their users. Maybe Suppliers are trying to dance around regulation. It's also possible that Suppliers privately notify users. One might argue to always apply updates. In practice, this is untenable, and users prioritize updates based on many factors, including cyber security risk anaylsys.
The primary counter argument is that silent patches actually increase risk to users, since adversaries can and do analyze patches, discover vulnerabilities, and exploit users. Users are at a time disadvantage, adversaries start the moment the patches are released, users may (need, choose to) wait until vulnerability information is available to them.
(This is the adversary completing their OODA loop before the defender completes theirs, because the Supplier did not give the defender the information necessary to start their loop).
https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/