Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.


You can find vulnerabilities in nearly everything. From Windows to websites to your own internal applications, vulnerabilities exist. They will always exist. The best means of protection is keeping up with security patches on a regular basis. With that in mind, Kenna Security and the Cyentia Institute recently analyzed the vulnerability patching practices of 300 organizations. See how your organization compares to these statistics.

Average Vulnerability Patch Time

On average, most organizations patch 25% of vulnerabilities within 4 weeks of discovery. It takes an additional 2 months to get to 50%. The average lifespan of any given vulnerability is about 100 days. From there, time increases dramatically. It takes the average organization a staggering 392 days to make it to 75%.

Vulnerability Stats Company Averages

Small Organizations vs. Large Ones

Surprisingly, smaller organizations install patches slightly faster than medium and large organizations. Small organizations patch 25% of vulnerabilities in 18 days compared to the 20 days it takes medium and large organizations. It only takes 56 days to get to 50% versus 60 days for medium organizations and 64 days for large organizations.

One would think that smaller organizations lack the personnel to keep up with these patches. However, the complexity level of IT environments grows as the organization does. Larger organizations have more complex IT systems. As a result, that complexity makes them harder to patch.

Patch Availability

You can’t patch vulnerabilities if a patch isn’t available. Once a vulnerability is identified, the vendor has to create a patch for it. Some vendors are better at that than others. Microsoft tops all other vendors in that regard. Microsoft patches 25% of vulnerabilities within 14 days and 50% within 37 days.

For comparison, the report states, “It takes 15 times longer for firms to address half their vulnerabilities affecting Oracle, HP, and IBM products than to reach that same milestone with Microsoft products!” Some platforms are easier to patch than others. The patching process for Java, an Oracle product, often causes more problems than it fixes. Keep this in mind when selecting software and hardware vendors.

Vulnerability Stats Vendor Averages

How Does Your Organization Compare?

Does your organization keep up with security patching? Do you have a vulnerability remediation process in place? Besides patching your OS and software, are you patching your hardware and other devices also? If you’re not sure or just need help keeping up, contact Pit Crew IT Services today. Request a free consultation below, and let us tune up your network.

Get a FREE IT Consultation!

Start Now