Эта статья является препринтом и не была отрецензирована.
О результатах, изложенных в препринтах, не следует сообщать в СМИ как о проверенной информации.
UPS Meets Patch Queues Evidence-timeline prioritization under limited capacity, cadence, and compliance gravity
1. Sergey Gordeychik. Prediction Meets Patch Queues: Empirical Limits of EPSS-Only Prioritization Using CISA KEV Additions in 2025. TechRxiv preprint, 2026. DOI: 10.36227/techrxiv.176857939.95987957/v1.
2. Viktoria Koscinski, Mark Nelson, Ahmet Okutan, Robert Falso, and Mehdi Mirakhorli. Con- flicting Scores, Confusing Signals: An Empirical Study of Vulnerability Scoring Systems. arXiv:2508.13644, 2025.
3. Michael Spence. Job market signaling. The Quarterly Journal of Economics, 87(3):355–374, 1973. DOI: 10.2307/1882010.
4. Esther Gal-Or and Anindya Ghose. The economic incentives for sharing security information. Information Systems Research, 16(2):186–208, 2005. DOI: 10.1287/isre.1050.0053.
5. Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Lei Zhou. The impact of information sharing on cybersecurity underinvestment: A real options perspective. Journal of Accounting and Public Policy, 34(5):509–519, 2015. DOI: 10.1016/j.jaccpubpol.2015.05.001.
6. ENISA. Economics of Vulnerability Disclosure. European Union Agency for Cybersecurity, December 2018.
7. CISA. Known exploited vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency.
8. CISA. Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. U.S. Cybersecurity and Infrastructure Security Agency, November 2021.
9. PCI Security Standards Council. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1. June 2024.
10. VulnCheck. VulnCheck KEV (Known Exploited Vulnerabilities): Documentation. VulnCheck Community Docs.
11. FIRST. Exploit Prediction Scoring System (EPSS). https://www.first.org/epss/. Accessed 2026-01-31.
12. FIRST. EPSS data and statistics (downloadable scores and percentiles). https://www.first. org/epss/data_stats. Accessed 2026-01-31.
13. Yelena Mujibur Sheikh, et al. RiskBridge: Turning CVEs into Business-Aligned Patch Priorities. arXiv:2601.06201, 2026.
14. Naoyuki Shimizu and Masaki Hashimoto. Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization. arXiv:2506.01220, 2025.
15. Abdulrahman Alhomidi, Mark Reed, and Stewart Kowalski. CAVP: A context-aware vulnerability prioritization model. Computers & Security, 116:102628, 2022. doi: 10.1016/j.cose.2022.102628.
16. Adeel Zaidi, et al. SmartPatch: A patch prioritization framework. Computers in Industry, 137:103595, 2022. doi: 10.1016/j.compind.2021.103595.
17. CIRCL. Vulnerability-Lookup: Sightings API. https://vulnerability.circl.lu/sightings /. Accessed 2026-01-31.
18. Carl Sabottke, Octavian Suciu, and Tudor Dumitras. Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits. In 24th USENIX Security Symposium (USENIX Security 15), 2015. https://www.usenix.org/conference/usenixsecu rity15/technical-sessions/presentation/sabottke.
19. Haipeng Chen, et al. Using Twitter to Predict When Vulnerabilities will be Exploited. In
20. Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD ’19), 2019. doi: 10.1145/3292500.3330742.
21. Prasha Shrestha, et al. Multiple social platforms reveal actionable signals for software vulnera- bility awareness: A study of GitHub, Twitter and Reddit. PLOS ONE, 15(3):e0230250, 2020. doi: 10.1371/journal.pone.0230250.
22. Sarah Elder, et al. A Survey on Software Vulnerability Exploitability Assessment. ACM Computing Surveys, 56(8), 2024. doi: 10.1145/3648610.
23. Jonathan Spring, Allen D. Householder, Eric Hatleback, Art Manion, Madison Oliver, Vijay S. Sarvepalli, Laurie Tyzenhaus, and Charles G. Yarbrough. Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0). Software Engineering Institute, Carnegie Mellon University, April 30, 2021. https://www.sei.cmu.edu/library/prioriti zing-vulnerability-response-a-stakeholder-specific-vulnerability-categorizatio n-version-20/.