author photo
By Clare O’Gara
Mon | Jun 1, 2020 | 5:47 AM PDT

As it turns out, social media is about a lot more than status updates and memes.

According to research, it's often the first platform for discussions about software vulnerabilities. And that could be a security risk in itself.

How many software vulnerabilities are posted on social media first?

The Pacific Northwest National Laboratory (PNNL) tackles some of the world's greatest science and technology challenges.

In this case, PNNL looked at what it calls social cybersecurity.

It analyzed how often software security vulnerabilities, or bugs, appear on social media as a first mention in the world.

"Research showed that a quarter of discussions about software vulnerabilities from 2015 through 2017 appeared on social media sites before landing in the National Vulnerability Database, the official U.S. repository for such information."

The study examined three platforms: Twitter, Reddit, and GitHub. GitHub, a popular networking and development site for programmers, was the most frequent origin for these conversations, with 47% of the disclosures beginning on the platform before spreading to the other social media channels.

How long are software vulnerabilities discussed before government notification?

The researchers tracked a software vulnerability's posting date on GitHub, Twitter, and Reddit and then compared it to the date when that security flaw appeared in the National Vulnerability Database.

"For this segment of vulnerabilities, it took an average of nearly 90 days for the gap discussed on social media to show up in the national database."

Posting software vulnerabilities on social media: good vs. bad

In some ways, researchers say, these discussions of software vulnerabilities among online peers can help with notification:

"...those vulnerabilities present a cybersecurity opportunity for governments to more closely monitor social media discussions about software gaps."

But the threat is also significant, because the postings are alerting criminal hackers and nation-states groups, as well. 

"Some of these software vulnerabilities have been targeted and exploited by adversaries of the United States. We wanted to see how discussions around these vulnerabilities evolved," says lead author Svitlana Volkova, senior research scientist in the Data Sciences and Analytics Group at PNNL.

"Social cybersecurity is a huge threat. Being able to measure how different types of vulnerabilities spread across platforms is really needed."

Researchers say cyberattacks in 2017 later linked to Russia involved more than 200,000 victims, affected more than 300,000 computers, and caused about $4 billion in damages.

"These attacks happened because there were known vulnerabilities present in modern software."

And 80 percent of code bases are known to contain at least one vulnerability, while many contain dozens of them.

Check out the PNNL research here.