Social media faster than official sources to identify software flaws
- By Susan Miller
- May 04, 2020
Researchers studying software security found that a quarter of the vulnerabilities discussed on social media sites appeared there nearly 90 days before they showed up in the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data administered by the National Institute of Standards and Technology.
Computer scientists in the Data Sciences and Analytics Group at the Department of Energy's Pacific Northwest National Laboratory found that the most likely starting point for discussion of Common Vulnerabilities and Exposures Entries (CVEs) -- common identifiers for publicly known cybersecurity vulnerabilities -- was Github, the highly collaborative software development and code-sharing platform. Forty-seven percent of the discussions started there before moving to Twitter and Reddit.
The researchers estimated that nearly a quarter of CVEs discussed in social media between 2015 and 2017 were discussed on social platforms prior to their addition to the NVD. “For these CVEs, the difference between the date when a CVE appears in one of the social platforms we studied and the date of its publication to NVD is 87 days on average,” they wrote in a paper published by PlosOne.
In one example, CVE-2016-4117, which takes advantage of a vulnerability in Adobe Flash, appeared “on all three platforms -- Twitter, Reddit and GitHub on the same day a month before its announcement on NVD,” the researchers said.
"Some of these software vulnerabilities have been targeted and exploited by adversaries of the United States. We wanted to see how discussions around these vulnerabilities evolved," senior research scientist and lead author Svitlana Volkova said. "Social cybersecurity is a huge threat. Being able to measure how different types of vulnerabilities spread across platforms is really needed."
The researchers also found variances in the way information spread on different social media sites. Surprisingly, there were more mentions of software vulnerabilities on Twitter and Reddit than on platforms dedicated to developers like StackOverflow and StackExchange. “The severity of a vulnerability contributes to how much it spreads, especially on Twitter. Highly severe vulnerabilities have significantly deeper, broader and more viral discussion threads,” they wrote.
While the practice of discussing unreported vulnerabilities on social media sites could pose a national security threat, the researchers said it also creates opportunity for governments to more closely monitor social media discussions about software gaps.
“Such trends of social media signals preceding official sources could potentially allow institutions to anticipate and prioritize which vulnerabilities to address first,” the researchers wrote.
“These and other findings can be used by analysts as well as by product vendors and codebase owners to increase the awareness about vulnerabilities and software patches among developers as well as general users,” the researchers said.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.