86% of vulnerabilities in the Top 50 programs had patches available on the day of disclosure; therefore the power to patch endpoints is in the hands of all end-users and organizations.
In 2012, 90% of vulnerabilities had patches available on the day of disclosure.
14% of vulnerabilities are without patches for longer than the first day of disclosure. This means that vulnerability intelligence and alternative remediation measures are required if organizations wish to keep their IT infrastructure watertight.
It is realistic to assume that 14% is a representative proportion of software products that are not patched quickly.
Reasons for delayed issuing of patches can be, for example:
Lack of vendor resources, uncoordinated releasesor, on rare occasions, zero-day vulnerabilities.
Read more in the Secunia Vulnerability Review 2014. Download it here.
* The Time-to-Patch numbers are not directly compatible with the numbers released in 2013. We have applied a different method for 2013, because an increasing number of vendors, particularly browser vendors, upgrade to new major versions, rather than patch existing versions. The numbers used in this report for Time-to-Patch are, however, comparable, as they are reached using the same method. Consequently, the year-on-year comparison in this report is reliable.