Magebean Logo Magebean
← Back to Baseline

MB-R059Advisory age/patch latency reported

C09 Extension Vulnerability Management Medium

Track how long advisories have been available compared to patch adoption. Long patch latency indicates operational risk. Reporting advisory age helps teams measure responsiveness and prioritize overdue updates across extensions.

Why it Matters

When a vulnerability advisory is published, the time between disclosure and patch availability is called patch latency. If an extension vendor takes too long to release fixes, stores remain exposed even if admins monitor advisories closely. Measuring advisory age and patch latency highlights vendors who respond slowly and identifies risk hotspots in the ecosystem.

Reporting this metric allows security teams to prioritize vendors with better patch practices and to replace modules where vendors consistently delay security updates.

Verification Steps

Advisory timeline check

# For each advisory, capture:
# - Advisory publish date
# - Fixed version release date

# Calculate latency = (patch date - advisory date)

Policy threshold

# Define acceptable SLA
# Example: Patch latency must be ≤ 14 days for critical vulns

Remediation / Fix Guidance

  1. Track advisory metadata in your vulnerability management system.
  2. Flag vendors with high patch latency for closer review.
  3. Apply temporary mitigations if patch latency exceeds policy (see MB-R053).
  4. Escalate critical advisories that remain unpatched beyond SLA to business owners.
  5. When choosing new modules, prefer vendors with historically fast patch responses.

Examples

Fail Example
# Advisory: CVE-2024-5678 (published 2024-06-01)
# Patch release: 2024-08-15
# Patch latency = 75 days → FAIL (beyond 14-day SLA)
Pass Example
# Advisory: CVE-2025-1234 (published 2025-02-01)
# Patch release: 2025-02-05
# Patch latency = 4 days → PASS

References