A core assumption underlying organizational security practices is that defenders are able to remediate known vulnerabilities in their systems in a timely fashion. Otherwise, attackers can just follow the breadcrumbs laid out by security advisories and exploit known weaknesses. This is indeed what happens in many large breaches. While progress has been made at the level of consumers, with automatic updates and default patching settings, this does not translate to enterprises. They face a painful dilemma: patch too soon and incur potential downtime and failures; patch too late and get compromised by attacks. As a result, organizations take a long time to patch even critical security vulnerabilities.

The central objective of THESEUS is to empower organizations to patch much faster. It aims to achieve this by radically changing the risk governance of patching. Changing the risk of patching for enterprises means to develop interdisciplinary breakthroughs at three interdependent levels:

  • Systems: reducing risk of patching via new techniques in automatic vulnerability and patch triaging, as well as automatic patch generation with live update for cases where critical patches pose unacceptable availability risks.
  • Enterprises: better quantifying risk of patching by assessing and aggregating the results of the patch triaging, as a way to estimate exploit likelihood in a coherent picture that accounts for different attacker models and functional impact.
  • Governance: more effectively managing risks of patching by introducing incentive mechanisms via notifications and information sharing, sector-wide benchmarks of patching speed, and potentially legal instruments.

THESEUS sets out to (1) bring advances from the lab to real-world settings by working with a large consortium of partners from healthcare and transportation who contribute people, data, and pilots; and (2) replace the status quo, as well as counterproductive solutions like mandatory patching, with a richer set of governance interventions across different levels.


Systems and Network Security Group at VU Amsterdam