Safeguard
Open Source Security

The Real Cost of Delayed Patching in Open Source Components

Patches for open source flaws often exist for months before teams apply them. Here is what that patch lag actually costs in breaches, cleanup, and trust.

Vikram Iyer
Security Researcher
8 min read

A fix for CVE-2017-5638, the Apache Struts flaw that Equifax failed to apply, was published on March 7, 2017. Attackers were inside Equifax's systems by mid-May. That gap — roughly ten weeks between "patch available" and "breach begins" — turned into 147 million exposed records and a cleanup bill north of $1.4 billion. Four years later, Log4Shell (CVE-2021-44228) shipped a fix the same day it was disclosed, December 10, 2021, and organizations were still shipping vulnerable versions of Log4j two and three years on. This is open source patch lag cost in its purest form: the difference between when a fix exists and when it actually reaches production is rarely measured in hours. It's measured in weeks, months, and sometimes years — and every day in between is a day an attacker only has to find one unpatched instance. Here's what that lag actually costs, with real incidents and real numbers.

How Long Does It Really Take to Patch a Known Open Source Vulnerability?

The honest answer is months, not days, even for critical flaws with a one-line fix. Sonatype's State of the Software Supply Chain research has tracked Log4j download data since the December 2021 disclosure and found that, years later, a meaningful share of downloads — historically in the range of one in four to one in three — were still pulling vulnerable 1.x or pre-2.17 builds of the library. That's not a niche edge case; Log4j is one of the most widely used logging libraries in the Java ecosystem, and its fix was trivial to apply. GitHub's own Dependabot data tells a similar story: median time to merge a security update pull request commonly stretches into multiple weeks once you account for review queues, CI gating, and teams that simply don't see the alert. The pattern holds across ecosystems — npm, PyPI, Maven, RubyGems — because the bottleneck isn't the patch itself, it's everything an organization has to do to find where the vulnerable component lives, confirm it's actually reachable, and push a change through a release process built for features, not fires.

What Did Patch Lag Actually Cost in Real Breaches?

It cost Equifax over $1.4 billion, and it cost the industry an estimated tens of billions in emergency remediation after Log4Shell. Equifax's own timeline is the clearest public case study: the Apache Struts patch landed March 7, 2017, Equifax's internal scan for the vulnerability reportedly missed affected systems, attackers exploited the same flaw starting mid-May 2017, and the breach wasn't detected until July 29, 2017 — a lag from patch to detection measured in months. The company later agreed to a $700 million FTC settlement, on top of total costs that public filings put well above $1.4 billion once legal fees, credit monitoring, and remediation were included. Log4Shell played out differently but just as expensively: because Log4j is embedded transitively inside thousands of downstream applications and vendor products, most organizations couldn't just "apply the patch" — they first had to figure out whether they even had the vulnerable code, often several dependency layers deep. Multiple industry estimates put the collective incident-response and remediation spend from Log4Shell in the billions of dollars globally, driven almost entirely by discovery time, not fix time.

Why Does a Fix Existing Not Mean a Fix Gets Applied?

Because in a modern application, the vulnerable component is usually buried three or four dependency layers away from anyone who has the authority or context to update it. A direct dependency in your package.json or pom.xml is relatively easy to bump — a transitive dependency pulled in by a dependency of a dependency is not. Log4Shell was so damaging precisely because Log4j wasn't something most engineering teams had deliberately chosen; it arrived bundled inside logging frameworks, application servers, and commercial software they'd bought. Fixing it meant waiting on a chain of vendors to each ship their own updates, then waiting again for internal teams to deploy them. Add to that alert fatigue — a single mid-size engineering org can see hundreds of open source vulnerability alerts a month across its dependency tree, and most vulnerability scanners don't distinguish a flaw in dead code from one sitting on an internet-facing request path. When every alert looks equally urgent, teams triage by severity score alone, and a lot of genuinely exploitable issues sit in the backlog behind CVEs that sound scarier on paper.

How Much Does Patch Lag Add to the Cost of a Breach Specifically?

Breaches that take longer to identify and contain cost measurably more, and unpatched known vulnerabilities are one of the most common reasons that timeline stretches out. IBM's Cost of a Data Breach research has consistently found that breach lifecycles run into the hundreds of days from initial compromise to containment, and that breaches with longer lifecycles cost significantly more than those caught and closed quickly — often over a million dollars more per incident when containment drags past roughly seven months. Separate industry surveys, including Ponemon Institute research conducted with ServiceNow, have found that a majority of breach victims say the vulnerability that let attackers in had a patch available before the breach occurred — the fix existed, it simply hadn't been deployed. Verizon's Data Breach Investigations Report has also tracked a sharp year-over-year rise in breaches that start with exploitation of a vulnerability as the initial access vector, a trend accelerated by incidents like the 2023 MOVEit campaign, where a single unpatched file-transfer component compromised data at hundreds of organizations weeks after related fixes had already started circulating.

Is Patch Lag Just a Cost Center, or Does It Compound Over Time?

It compounds, because every unpatched vulnerability you carry forward adds to a growing surface that has to be triaged, explained to auditors, and eventually fixed under worse conditions than if you'd handled it on day one. A component with a known CVE sitting in production for six months isn't a static risk — it's a liability that shows up again in every SOC 2 audit cycle, every customer security questionnaire, and every new CVE published against a library your team already knows is behind. Compliance frameworks increasingly expect organizations to show not just that they scan for vulnerabilities but that they remediate them within defined SLAs; a patch lag of 90 or 180 days on a critical, internet-facing dependency is the kind of finding that turns a routine audit into a remediation plan with a deadline. The longer a known-vulnerable component stays in place, the more expensive it becomes to fix, because the fix is no longer "bump a version number" — it's "bump a version number across twelve services, under a compliance deadline, while explaining to a customer why it wasn't done six months ago."

How Safeguard Helps

Safeguard is built around the part of this problem that actually determines patch lag cost: knowing what you have, whether it's reachable, and what to fix first. Our software composition analysis maps every open source component in your applications — including the transitive dependencies three and four layers deep that made Log4Shell so hard to find — and continuously matches that inventory against newly disclosed CVEs the moment they're published, not weeks later during a scheduled scan. Reachability analysis cuts through alert fatigue by distinguishing vulnerable code that's actually invoked in your application from code that's present but dormant, so security and engineering teams stop treating every CVE as equally urgent and start fixing the ones that are exploitable in production first.

Safeguard also generates and maintains a continuously updated SBOM for every build, so when the next Log4Shell-style disclosure hits, the question "do we have this?" is answered in minutes instead of days of manual dependency archaeology across every service and vendor product. Automated pull requests for available fixes remove the manual step of tracking down the right version bump, and policy gates in CI/CD let teams enforce real remediation SLAs — for example, blocking a release if a critical, reachable vulnerability has sat unpatched past an agreed window — turning "we should patch that eventually" into an enforced part of the release process. For compliance teams, Safeguard's audit trail shows exactly when a vulnerability was disclosed, when it was detected in your environment, and when it was remediated, converting patch lag from an invisible risk into a measured, managed metric you can actually improve month over month.

The lesson from Equifax and Log4Shell isn't that patches are hard to write — both fixes were straightforward. It's that finding where a vulnerable component lives, confirming it matters, and getting a fix deployed is the actual cost driver, and it's a problem of visibility and process, not code. Closing that gap is what brings the real cost of open source patch lag down.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.