Illustration: Sarah Grillo/Axios

A recent study found that only 5.5% of security vulnerabilities discovered by researchers were actually ever used by hackers.

Why it matters: That number makes instinctive sense to experts but can seem counterintuitive to anyone outside the field. That's because all vulnerabilities are not created equal — and in a world with hundreds of bugs released a week, prioritizing the important ones is key to any defense.

The big picture: If the 5.5% statistic sounds jarring, you're not alone. Jay Jacobs, the lead author on the study, says he thought it'd be higher, too.

  • "When I first started working with vulnerabilities, I had that reaction," he said, "I saw that and thought the data must be wrong. I went to an expert to ask if the data seemed normal, and he said [nonchalantly] yeah, why?"
  • "You want to think it's like animals in the wild, and the vulnerabilities are their food sources. Why wouldn't they take all the food sources?"

The reasons they wouldn't can vary. Most hacking is criminal, not espionage, and criminal hackers tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use and not all of the easy to use vulnerabilities are in products that are widely deployed.

The impact: The number of vulnerabilities used by hackers matters because there are far more new vulnerabilities each month affecting any organization than any organization can patch.

  • In fact, in research he published in conjunction with Kenna Security, Jacobs found that organizations only patch 10% of newly found vulnerabilities each month regardless of the organization's size.
  • Patching isn't just a matter of hitting the "update" button. Updates, while critical, can sometimes interfere with crucial software, and often need to be tested before being applied.

What's needed: That makes prioritizing vulnerabilities key. And that means taking several factors into account.

  • Companies often are quick to assume that the most important factor is the most obvious one: the severity of a bug. But understanding the exposure of a system to attacks and what defenses are already in place are equally important.
  • "Organizations that are more mature will overlay asset management. If a high severity bug is in a server that’s better positioned, it might be able to wait," said Katie Moussouris, founder and CEO of Luta Security.

One factor not to take into account? Us. Or more accurately, media exposure of a vulnerability in general.

  • "If you read the announcements, everything is the end of the world," said Renaud Deraison, co-founder and CTO of Tenable, whose products manage vulnerability patching.
  • Tenable released a study last month demonstrating that there's no correlation between the amount of media attention a vulnerability receives and the urgency of patching it.
  • Take for example the recent series of microprocessor vulnerabilities at Intel and other companies. "Everyone went to patch their CPU. It was a very disruptive, a very invasive thing to patch, and in the end there wasn't an attack," he said.

Go deeper

Updated 57 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 19,486,171 — Total deaths: 723,599 — Total recoveries — 11,822,887Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 4,989,976 — Total deaths: 162,304 — Total recoveries: 1,643,118 — Total tests: 61,080,587Map.
  3. Politics: Trump signs 4 executive actions on coronavirus aid.
  4. Public health: Fauci says chances are "not great" that COVID-19 vaccine will be 98% effective — 1 in 3 Americans would decline COVID-19 vaccine.
  5. Science: Indoor air is the next coronavirus frontline.
  6. Schools: How back-to-school is playing out in the South as coronavirus rages on — Princeton, Johns Hopkins, Howard to hold fall classes online.

Trump signs 4 executive actions on coronavirus aid

President Trump speaking during a press conference on Aug. 8. Photo: Jim Watson/AFP via Getty Images

President Trump on Saturday signed four executive actions to provide relief from economic damage sustained during the coronavirus pandemic after talks between the White House and Democratic leadership collapsed Friday afternoon.

Why it matters: Because the Constitution gives Congress the power to appropriate federal spending, Trump has limited authority to act unilaterally — and risks a legal challenge if congressional Democrats believe he has overstepped.

7 hours ago - World

What's next for Lebanon after the Beirut explosion

Photo: Houssam Shbaro/Anadolu Agency via Getty Images

Beirut residents are still clearing rubble from streets that appear war-torn, days after a blast that shocked the country and horrified the world.

Why it matters: The explosion is likely to accelerate a painful cycle Lebanon was already living through — discontent, economic distress, and emigration.