—

Why it Matters

When a vulnerability advisory is published, the time between disclosure and patch availability is called patch latency. If an extension vendor takes too long to release fixes, stores remain exposed even if admins monitor advisories closely. Measuring advisory age and patch latency highlights vendors who respond slowly and identifies risk hotspots in the ecosystem.

Reporting this metric allows security teams to prioritize vendors with better patch practices and to replace modules where vendors consistently delay security updates.

Verification Steps

# For each advisory, capture:
# - Advisory publish date
# - Fixed version release date

# Calculate latency = (patch date - advisory date)

# Define acceptable SLA
# Example: Patch latency must be ≤ 14 days for critical vulns

Remediation / Fix Guidance

1. Track advisory metadata in your vulnerability management system.
2. Flag vendors with high patch latency for closer review.
3. Apply temporary mitigations if patch latency exceeds policy (see MB-R053).
4. Escalate critical advisories that remain unpatched beyond SLA to business owners.
5. When choosing new modules, prefer vendors with historically fast patch responses.

Examples

# Advisory: CVE-2024-5678 (published 2024-06-01)
# Patch release: 2024-08-15
# Patch latency = 75 days → FAIL (beyond 14-day SLA)

# Advisory: CVE-2025-1234 (published 2025-02-01)
# Patch release: 2025-02-05
# Patch latency = 4 days → PASS

References

• OWASP Top 10 — A06: Vulnerable and Outdated Components
• CVSS — Common Vulnerability Scoring System