This study investigates the vulnerability lifetime—the time interval from CVE disclosure to patching—in software projects, systematically analyzing how programming language choice, project characteristics, and intrinsic CVE attributes influence repair latency. Methodologically, it pioneers the application of survival analysis (Cox proportional hazards modeling and Kaplan–Meier estimation) to CVE lifecycle modeling, integrating large-scale CVE databases with cross-language and cross-project feature engineering to uncover nonlinear effects of multidimensional risk factors. Results demonstrate that memory-safe languages (e.g., Rust), highly active maintenance projects, and higher CVSS severity scores significantly accelerate patching. The proposed model achieves substantially improved prediction accuracy over baseline approaches. This work contributes an interpretable, reusable, empirically grounded framework—supported by quantitative evidence—for prioritizing vulnerability response efforts in practice.

The Common Vulnerabilities and Exposures (CVEs) system is a reference method for documenting publicly known information security weaknesses and exposures. This paper presents a study of the lifetime of CVEs in software projects and the risk factors affecting their existence. The study uses survival analysis to examine how features of programming languages, projects, and CVEs themselves impact the lifetime of CVEs. We suggest avenues for future research to investigate the effect of various factors on the resolution of vulnerabilities.