Fix ETAs
Get predicted fix timelines for all open CVEs. Estimates are based on multiple signals including severity, upstream fix availability, assignee status, linked PRs, package health, issue age, and comment activity.
Endpoint
GET /api/v1/fix-etasResponse
json
{
"success": true,
"data": {
"predictions": {
"CVE-2025-1234": {
"estimatedDays": 14,
"confidence": 55,
"etaDate": "2026-02-24",
"range": {
"low": "2026-02-17",
"high": "2026-03-10"
},
"factors": [
{
"signal": "high_severity",
"impact": "accelerator",
"detail": "High severity increases urgency"
},
{
"signal": "upstream_fix_available",
"impact": "strong_accelerator",
"detail": "Upstream fix exists - version bump likely"
}
],
"package": "openssl",
"issueNumber": 42
}
},
"totalPredicted": 25,
"summary": {
"within7Days": 5,
"within30Days": 15,
"within90Days": 22,
"beyond90Days": 3
},
"lastUpdated": "2026-02-10T12:00:00.000Z"
},
"timestamp": "2026-02-10T12:00:00.000Z"
}Response Fields
Per-CVE Prediction
| Field | Type | Description |
|---|---|---|
estimatedDays | number | Predicted days until fix (1-180) |
confidence | number | Confidence percentage (10-90%) |
etaDate | string | Predicted fix date (ISO date) |
range.low | string | Optimistic estimate date |
range.high | string | Pessimistic estimate date |
factors | array | Signals that influenced the prediction |
package | string | Affected package name |
issueNumber | number | GitHub issue number |
Prediction Factors
| Signal | Impact | Description |
|---|---|---|
critical_severity | strong_accelerator | Critical CVEs get prioritized (0.4x time) |
high_severity | accelerator | High severity increases urgency (0.6x) |
upstream_fix_available | strong_accelerator | Upstream fix exists (0.4x) |
assigned | accelerator | Issue has an assignee (0.5x) |
linked_pr | strong_accelerator | PR already exists (capped at 7 days) |
orphaned_package | strong_decelerator | No maintainer (2x time) |
active_maintainers | accelerator | Multiple maintainers (0.8x) |
stale_issue | decelerator | Open > 60 days (1.3x) |
active_discussion | accelerator | 5+ comments (0.8x) |
Summary
| Field | Type | Description |
|---|---|---|
within7Days | number | CVEs predicted to be fixed within 7 days |
within30Days | number | CVEs predicted to be fixed within 30 days |
within90Days | number | CVEs predicted to be fixed within 90 days |
beyond90Days | number | CVEs predicted to take longer than 90 days |
Example
bash
curl https://api.vulnpatch.dev/api/v1/fix-etasCode Examples
javascript
async function getUpcomingFixes() {
const response = await fetch('https://api.vulnpatch.dev/api/v1/fix-etas');
const { data } = await response.json();
// CVEs likely to be fixed soon
const soonFixes = Object.entries(data.predictions)
.filter(([, p]) => p.estimatedDays <= 7 && p.confidence >= 50)
.sort((a, b) => a[1].estimatedDays - b[1].estimatedDays);
console.log(`Expected fixes this week: ${soonFixes.length}`);
soonFixes.forEach(([cve, p]) => {
console.log(` ${cve} (${p.package}): ~${p.estimatedDays}d, ${p.confidence}% confidence`);
});
}python
import requests
response = requests.get("https://api.vulnpatch.dev/api/v1/fix-etas")
data = response.json()["data"]
print(f"Summary: {data['summary']}")
# Stuck CVEs (high estimate, low confidence)
stuck = {cve: p for cve, p in data["predictions"].items()
if p["estimatedDays"] > 90 and p["confidence"] < 30}
for cve, p in stuck.items():
factors = ", ".join(f["signal"] for f in p["factors"] if "decelerator" in f["impact"])
print(f" {cve}: ~{p['estimatedDays']}d - blockers: {factors}")Use Cases
- Sprint planning: Know which CVEs are likely to be fixed soon
- Escalation: Identify CVEs with long ETAs that may need intervention
- Reporting: Provide stakeholders with estimated remediation timelines
- Prioritization: Focus on CVEs where a fix is imminent vs. stalled
Caching
Predictions are computed every 30 minutes via cron.
Related Endpoints
GET /api/v1/package-health- Package health (input to ETA model)GET /api/v1/analytics/time-to-fix- Historical time-to-fix benchmarksGET /api/v1/rebuild-impact- Rebuild blast radius