Analysis of vulnerability fixing process in the presence of incorrect patches

Software vulnerabilities or security breaches can have consequences like leakage of sensitive information and malware execution, which are critical to network security. Consequently, eliminating security loopholes and vulnerabilities is imperative for the system administrator to counteract security attacks. Software should be thoroughly reviewed before it is released to uncover these security invasions. However, it is not feasible to identify and overcome all software failures during software testing due to external instances of software development, implementation costs, execution time, and unanticipated modifications to the specification. Security patching is a viable solution for such software systems to prevent attackers from exploiting existing vulnerabilities. Even after patch distribution and installation, it is crucial to determine whether the patch has effectively eliminated the vulnerability. Incorrect patches may lead to new security bugs, which may be malicious and disastrous for developing businesses and users. The present research aims to model the trend of patched vulnerabilities methodically by incorporating the generation of new vulnerabilities due to unsuccessful updations and encompassed bug fixes. The proposed analytical model is validated on the vulnerability databases obtained from the Common Vulnerabilities and Exposures repository. The empirical analysis yields that the present research has better forecasting efficacy than the benchmark studies. •New analytical model for examining the vulnerability fixing process is proposed.•Rate of successful and unsuccessful fixes is predicted by incorporating imperfect patching process.•Computational results ascertain the generation of new vulnerabilities due to ineffective patches.•Excellent fitting to the historical vulnerability data of Oracle VirtualBox and Google Chrome compared to benchmark models.