Hacker working on vulnerabilities

Report: 62% Of Companies Take 48 Hours or Longer to Remediate Vulnerabilities To Patch Known Critical Vulnerabilities

NopSec has released the findings from their State of Vulnerability Management report surveying 426 CISOs, information security managers, analysts, pen testers, and other security professionals.

According to respondents, 62% of companies take 48 hours or longer—some more than two weeks—to patch known critical vulnerabilities.

Additional insights include:

  • 58% of companies that track the volume of vulnerabilities have seen them double, triple, or quadruple over the past 12 months.
  • 70% say their vulnerability management program (VMP) is only somewhat effective or worse.
  • 34% responded that their VMP was not very effective at all.
  • 53% of respondents said their organization does not consume third-party threat intel, like penetration tests, vulnerability disclosures, and IP or domain reputation scores.
  • 58% also do not use a risk-based rating system to prioritize vulnerabilities.

“The future of vulnerability management is risk-based. Yet I often see that, without a risk-based approach to prioritizing the ever-growing list of vulnerabilities, organizations leave themselves exposed,” said Lisa Xu, CEO of NopSec. “What this report found is that some organizations have effective ways to detect, respond to, and remediate their vulnerabilities, while other organizations have more blind spots than they think. I hope these insights will be helpful to security leaders as they evaluate and strengthen their vulnerability management program.”