Vulnerability Remediation Timelines: how fast should you patch?

This is a collection of statistics I gather on the topic of vulnerability remediation timelines.

Vulnerability remediation timelines

Source	Metric	Remediation timeline
CISA	Critical vulnerabilities	15 days
EdgeScan’s 2022 report	Average MTTR for Public Administration Industry	89 days
EdgeScan’s 2022 report	Average MTTR for Manufacturing Industry	81 days
EdgeScan’s 2022 report	Average MTTR for Education Services Industry	81 days
EdgeScan’s 2022 report	Average MTTR for Professional, Scientific & Technical Services Industry	69 days
EdgeScan’s 2022 report	Average MTTR for Accommodation & Food Services Industry	68 days
EdgeScan’s 2022 report	Average MTTR for Healthcare Industry	63 days
EdgeScan’s 2022 report	Average MTTR for Information Industry	57 days
EdgeScan’s 2022 report	Average MTTR for Retail Industry	55 days
Mend.io (2023)	Average time to fix a vulnerability	271 days
Mend.io (2023)	Average time to fix a vulnerability with Mend (from Sample of companies that have implemented Mend)	70 days
Infosec Institute	MTTR for vulnerabilities (general)	60 to 150 days
Gitlab	SLA for critical vuln remediation	30 days
Ivanti	SLA for critical vuln remediation	14 days
U.S. General Services Administration	Critical and High vulnerabilities	30 days
New York University	SLA for critical vuln remediation	30 days
University of Michigan	SLA for critical vuln remediation	30 days
UCLA	SLA for critical vuln (Severity 5 in Qualys)	14 days
NASA’s Software Engineering Handbook	Vulnerabilities categorized as high	5 working days
NASA’s Software Engineering Handbook	Vulnerabilities categorized as moderate	30 working days
NASA’s Software Engineering Handbook	Vulnerabilities categorized as low	60 working days
Google’s Project Zero	Vulnerabilities with CVSS score more than 4.0	90 days
Automox 2020 Cyber Hygiene Report	Largest group of respondents’ average patching time for critical and high severity vulnerabilities (Across all four categories of systems that they surveyed this was the remediation time followed by the largest set of respondents)	4 – 30 days
FedRamp	Mitigation of high-risk vulnerabilities	30 days
FedRamp	Mitigation of moderate-risk vulnerabilities	90 days
FedRamp	Mitigation of low-risk vulnerabilities	180 days

Sources

• Edgescan’s 2024 Vulnerability Statistics Report (✨ a must-read document):
  • https://www.edgescan.com/stats-report/
• NASA’s Software Engineering Handbook
  • https://swehb.nasa.gov/display/SWEHBVD/SWE-159+-+Verify+and+Validate+Risk+Mitigations
• Cycognito
  • https://www.spiceworks.com/it-security/vulnerability-management/guest-article/how-to-reduce-mttr-for-external-vulnerabilities/
• Mend.io
  • https://www.mend.io/blog/securing-the-software-supply-chain-mend-open-source-risk-report/
• Infosec Institute
  • Time to patch: Vulnerabilities exploited in under five minutes? | Infosec (infosecinstitute.com)
• GitLab’s handbook
  • Vulnerability Management | The GitLab Handbook
• Ivanti
  • The Industry is Driving Toward a 14-Day SLA on Vulnerability Remediation. What’s Holding You Back?
• U.S. General Services Administration
  • Vulnerability-Management-Process-[CIO-IT-Security-17-80-Rev-4]-03-13-2023.pdf (gsa.gov)
• New York University
  • Policy on Security Vulnerability Management (nyu.edu)
• University of Michigan
  • Vulnerability Remediation / safecomputing.umich.edu
• UCLA
  • Vulnerability Management | Office of the Chief Information Security Officer (ucla.edu)
• Automox’s 2020 Cyber Hygiene Report
  • Automox_2020_Cyber_Hygiene_Report-What_You_Need_to_Know_Now.pdf
• FedRamp
  • https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf