Zero-day vulnerabilities remain one of the major security threats that are faced by organizations. Once a vendor learns about a zero-day vulnerability, releasing a timely patch becomes a priority given the risk of zero-day exploits. However, we still lack information on the factors that affect patch release time of such vulnerabilities. The main objective of this study is to examine the impact of other as-yet unexplored factors on the patch release time of zero-day vulnerabilities. Using zero-day vulnerability dataset captured between 2010 and 2020, we employ survival analysis technique. Our model explores the impact of vulnerability attack vector, attack complexity, privileges required, user interaction, scope, confidentiality, integrity, and availability impact on patch release timing. Findings show that a zero-day vulnerability is more likely to be patched on time if the vulnerability results in a scope change and affects more vendors, products, and versions. However, a zero-day vulnerability is less likely to be patched on time if it requires privileges and impacts confidentiality. Our sub-analyses also reveal how patch release times vary across different products and vulnerability types.

中文翻译：

---

修补零日漏洞：实证分析

零日漏洞仍然是组织面临的主要安全威胁之一。一旦供应商了解到零日漏洞，考虑到零日漏洞的风险，及时发布补丁就成为当务之急。但是，我们仍然缺乏关于影响此类漏洞补丁发布时间的因素的信息。本研究的主要目的是检查其他尚未探索的因素对零日漏洞补丁发布时间的影响。我们使用 2010 年至 2020 年间捕获的零日漏洞数据集，采用生存分析技术。我们的模型探讨了漏洞攻击向量、攻击复杂性、所需权限、用户交互、范围、机密性、完整性和可用性对补丁发布时间的影响。调查结果表明，如果零日漏洞导致范围更改并影响更多供应商、产品和版本，则该漏洞更有可能按时修补。但是，如果零日漏洞需要特权并影响机密性，则不太可能及时修补。我们的子分析还揭示了补丁发布时间在不同产品和漏洞类型之间的差异。