In this paper, we report results on a large scale measurement campaign to collect temporal information about events associated with software vulnerabilities. The data is curated so as to extract dates from each of the analyzed security advisories. The resulting time series are our object of study. From our measurements we were able to identify which role was assumed by different platforms (such as websites and forums) in the security landscape, including sources and aggregators of information about vulnerabilities. Then, we propose an analytical model to express the flow of information through security advisories across multiple platforms. The model is based on a queueing network, where each platform corresponds to a queue which adds a delay in the information propagation. Such delays, in turn, have an impact on the visibility of the information at different platforms. Leveraging the proposed model and the collected data, we assess how different system parameters, such as the delays incurred by each platform to propagate its messages, impact the overall flow of information across platforms.

中文翻译：

---

论软件安全通报的流程


在本文中，我们报告了大规模测量活动的结果，以收集与软件漏洞相关的事件的时间信息。对数据进行整理，以便从每个分析的安全建议中提取日期。由此产生的时间序列是我们的研究对象。根据我们的测量，我们能够确定不同平台（例如网站和论坛）在安全领域所扮演的角色，包括有关漏洞的信息的来源和聚合器。然后，我们提出了一个分析模型来表达跨多个平台的安全建议的信息流。该模型基于排队网络，其中每个平台对应一个队列，这会增加信息传播的延迟。这种延迟反过来又会影响不同平台上信息的可见性。利用所提出的模型和收集的数据，我们评估不同的系统参数（例如每个平台传播消息所产生的延迟）如何影响跨平台的整体信息流。