Three years ago I released a tool called PHP Version Audit. The idea is that it parses the PHP changelog and notifies you if you are running a PHP version that has a CVE or has lost support.
Anyways, after running for three years, I thought it would be fun to put together some data. The most interesting one is that PHP Version Audit has a median CVE discovery of 5 hours after the PHP announcement. In contrast, the NVE CVE Database has a median of 260 hours - or almost 11 days. Of course the NVE CVE Database has all sorts of information like a vulnerability score, so maybe it’s an apples vs. oranges comparison. Anyways, I hope someone else finds this interesting :)
If you think PHP Version Audit is interesting, there is also Node Version Audit[0] that I released earlier this year.
lightswitch05|3 years ago
Anyways, after running for three years, I thought it would be fun to put together some data. The most interesting one is that PHP Version Audit has a median CVE discovery of 5 hours after the PHP announcement. In contrast, the NVE CVE Database has a median of 260 hours - or almost 11 days. Of course the NVE CVE Database has all sorts of information like a vulnerability score, so maybe it’s an apples vs. oranges comparison. Anyways, I hope someone else finds this interesting :)
If you think PHP Version Audit is interesting, there is also Node Version Audit[0] that I released earlier this year.
0: https://www.github.developerdan.com/node-version-audit/