Methodology
A breakdown of the projects purpose, what’s in scope, what data sources are used, how dates are sourced, how confidence is assigned, and where the data has limits. If you find an error or have an idea to improve this, please reach out (LinkedIn), as this dataset is meant to be corrected and improved over time.
Purpose
patchwindow’s purpose is to provide a data driven, defensible, and auditable measurement of how vulnerability exploitation has changed over time, and how the current threat landscape compares. It aims to separate hype from reality, and challenge commonly accepted narratives like mean time-to-exploit has been trending downwards for years or is rapidly declining due to AI enabled exploitation.
It is also intended as a usable data source for patch management programs, and to guide threat intelligence briefings to senior stakeholders and technical teams alike. The current form is phase 1 of the project, with phase 2 planned to include additional KEV sources, and more granular filtering and data analysis.
Scope
The database contains every CVE in CISA's Known Exploited Vulnerabilities (KEV) catalog
with a CVE identifier of CVE-2018-* or later, however the 2018 values
have been excluded from the snapshots and dashboards due to being too statically
anomalous (over 5 standard deviations from the mean). Also, pre-2018 entries are
excluded because data reliability for older incidents degrades significantly, and
many first-exploitation dates for early-2010s CVEs are not credibly documented in
public sources.
Data Sources
The CISA KEV catalogue is currently used as the sole data source for exploited vulnerabilities, as it is by far the lowest false positive rate. Other sources were reviewed and considered, but were assessed as having either too high a false positive rate, or were poor predictive indicators of actual exploitation (such as PoCs on GitHub).
Dashboard
The graphical representations and datapoints featured in the dashboard are based on key fields in the database, primarily Disclosure, First Exploited and First Reported (descriptions below). The Disclosure and First Exploited fields are used to establish the TTE for each CVE, and the First Reported enables us to accurately assess when exploitation of a vulnerability was widely known. This is key to performing like-for-like comparisons across years, which is the only way to accurately understand how key exploitation statistics, such as Mean TTE, Zero-day rate, and total CVEs exploited, is changing over time.
Other representations of how the mean TTE has changed over time, typically just measure it for all years from the current date, which severely biases recent years’ mean TTE downwards due to shorter overall elapsed times. By instead comparing snapshots across years, we get actual insight into how CVE exploitation has changed and a potential opportunity for predictive forecasting within a measurable error range, as the same predictive methodology can be validated against past years.
The dashboard graphs also highlight the mean TTE per year, both excluding zero-days and including zero-days. The purpose of the first is to provide the patch window defenders actually have for everything that isn’t a zero-day (as a zero-day’s patch window is known as zero), and the second is to provide a more definitionally accurate mean TTE representation.
Database Field Definitions
CVE, Vendor, Product
Sourced from the KEV catalog. Vendor and product names are normalised lightly for grouping (e.g. "Microsoft Corporation" → "Microsoft") but otherwise left as provided.
Disclosure
The CVE's NVD published date — the moment the CVE entry became public. For most CVEs this aligns within a day of vendor advisory publication; for a small number it diverges, and where the divergence is material the source notes flag it.
First Exploited
The earliest credible date of in-wild exploitation, drawn from primary sources: vendor advisories, incident-response writeups, threat intelligence publications, and post-incident law-enforcement disclosures. Where multiple sources give different dates, the earliest defensible one is taken, with the reasoning captured in source notes.
First Reported
The date the exploitation became publicly known — typically a vendor PSA, a research blog, or a news report. Always equal to or later than First Exploited.
TTE
Calculated as max(0, First Exploited − Disclosure). Values of 0
cover both "exploited on the day of disclosure" and "exploited some time before
disclosure" — i.e. the zero-day population. Use TTE inc negatives when this
distinction matters.
TTE inc negatives
First Exploited − Disclosure with no flooring. Negative values
indicate exploitation that pre-dated public disclosure of the vulnerability.
Zero-day
Defined as TTE inc negatives ≤ 0 — i.e. exploited at or before
public disclosure. This is a deliberately inclusive definition; it covers both
true pre-disclosure exploitation and "exploited on day 0" incidents where the
disclosure was effectively reactive to observed exploitation.
Confidence
Each row carries a high / medium / low confidence rating reflecting the documentary strength of the dates:
- High — Date is established by a primary source (vendor advisory, IR firm report, official disclosure) with internal consistency between sources.
- Medium — Date is established by a single primary source, or by multiple secondary sources without a primary citation.
- Low — Date is inferred from weaker signals (community speculation, KEV addition date used as proxy, single tertiary source). Read the source notes carefully.
KEV Added
The date CISA added the CVE to the KEV catalog. Useful as a publication-cadence signal but distinct from the exploitation timeline.
Snapshot tables
Each snapshot table is a point-in-time view. The 2018 row of the May month-end table shows only CVE-2018-* entries that were both disclosed and had exploitation publicly reported by May 31, 2018. This is the most useful comparator because it removes the bias from later-added entries — each row in a given table looks at each CVE year at the same vintage of data.
Why exclude later entries? If you simply look at "what does the 2018 catalog look like today" you're folding in seven years of subsequent enrichment. Comparing "May 2018 view of 2018 CVEs" to "May 2024 view of 2024 CVEs" gives a much cleaner read on how the patch window has actually moved.
Update cadence
Database is updated at the end of each month, and the dashboard chart are recalculated to reflect that latest month’s snapshot.
Major Updates
The first major update was completed on the 07th June 2026. Update included manually reviewing and cross-referencing source URLs (over 2000 so far) and data, with all low and medium confidence references reviewed, and all 2026 and most of 2025 reviewed too. Also, the decision was made to exclude the 2018 values from the snapshots and dashboard due to low sample size and subsequent anomalous data points (over 5 standard deviations from the mean).
The next major update will be completed before end of June 2026 and will include the manual review and cross referencing of the remaining source URLs and data points.
Known limits
- Survivorship. The dataset only contains CVEs CISA has chosen to add to KEV. Some exploited vulnerabilities never make the catalog, and their omission shapes any aggregate.
- "First exploited" is a floor, not a ceiling. The earliest known exploitation often post-dates the actual first exploitation. Treat values close to zero as "no later than" estimates.
- Vendor labelling is imperfect. Products span multiple vendors over their lifetime; the dataset uses the most current canonical vendor where reasonable.
- Low-confidence rows are kept, not dropped. Filtering them out would inflate the apparent precision of aggregates. Use the confidence column to weight your reading.
- Not all KEV entries have reliable exploitation dates. Where possible, evidence of exploitation was sourced from reliable sources to ascertain the exact date. Where no independent source was available, the CISA KEV updated date was used as a fall back first exploited date.
Source links
Every row has a primary Source URL and a short narrative in
Source Notes. Expand any row in the database
to read them. If you find a row where the date is wrong or the source is broken,
please get in touch
(LinkedIn).
License
The aggregated dataset is published under CC BY 4.0. CVE identifiers are managed by MITRE; the KEV catalog is maintained by CISA. This site is an independent analytical layer over those public sources.