angler-fishThe Vulnerability History Project

Lifetime: 2 to 5 years

How long was this in the system? The collection of **lifetime** measure the length of time between the earliest vulnerability-contributing commit (VCC) and the earliest fix commit. During this lifetime is when developers **missed** the vulnerability. Our breakdown of vulnerability lifetimes are arbitrary. The categories are: * Less than 30 days * 30 to 90 days * 90 to 180 days * 180 days to 1 year * 1 to 2 years * 2 to 5 years * 5+ years

Examples

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability.

expand_less