Time-to-Fix Benchmarks

Get cross-distribution time-to-fix benchmarks showing how quickly different Linux distributions patch CVEs.

Endpoint

GET /api/v1/analytics/time-to-fix

Parameters

Parameter	Type	Required	Description
full	string	No	Set to true to include per-CVE snapshot data (can be large)

Response

{
  "success": true,
  "data": {
    "aggregates": {
      "nixpkgs-unstable": {
        "label": "nixpkgs unstable",
        "family": "nix",
        "totalTracked": 150,
        "fixed": 120,
        "fixedCount": 120,
        "unfixed": 30,
        "fixRate": 80,
        "medianDays": 7,
        "p90Days": 30
      },
      "nixos-25.05": {
        "label": "NixOS 25.05",
        "family": "nix",
        "totalTracked": 150,
        "fixed": 95,
        "fixedCount": 95,
        "unfixed": 55,
        "fixRate": 63,
        "medianDays": 14,
        "p90Days": 45
      },
      "debian_13": {
        "label": "Debian 13 (trixie)",
        "family": "debian",
        "totalTracked": 150,
        "fixed": 100,
        "fixedCount": 100,
        "unfixed": 50,
        "fixRate": 67,
        "medianDays": 10,
        "p90Days": 40
      }
    },
    "totalTracked": 150,
    "lastUpdated": "2026-02-10T12:00:00.000Z"
  },
  "timestamp": "2026-02-10T12:00:00.000Z"
}

Response Fields

Aggregates (per distro)

Field	Type	Description
label	string	Human-readable distribution name
family	string	Distribution family (nix, debian, fedora, arch, alpine)
totalTracked	number	CVEs tracked for this distro
fixed	number	CVEs already fixed in this distro
fixedCount	number	Alias for fixed
unfixed	number	CVEs not yet fixed
fixRate	number	Percentage of tracked CVEs that are fixed (0-100)
medianDays	number|null	Median days from CVE publication to fix
p90Days	number|null	90th percentile days to fix

Tracked Distributions

NixOS channels are computed dynamically based on the current release schedule:

Distribution	Description
nixpkgs-unstable	Nixpkgs unstable channel
nixos-YY.MM	Latest two NixOS stable releases
debian_13	Debian Trixie
debian_12	Debian Bookworm
fedora_41	Fedora 41
arch	Arch Linux
alpine_3_21	Alpine 3.21

Example

# Get aggregate stats only
curl https://api.vulnpatch.dev/api/v1/analytics/time-to-fix

# Include per-CVE snapshots
curl "https://api.vulnpatch.dev/api/v1/analytics/time-to-fix?full=true"

Code Examples

JavaScript

async function compareDistros() {
  const response = await fetch('https://api.vulnpatch.dev/api/v1/analytics/time-to-fix');
  const { data } = await response.json();

  for (const [distro, stats] of Object.entries(data.aggregates)) {
    console.log(`${stats.label}: median ${stats.medianDays}d, p90 ${stats.p90Days}d, fix rate ${stats.fixRate}%`);
  }
}

Python

import requests

response = requests.get("https://api.vulnpatch.dev/api/v1/analytics/time-to-fix")
data = response.json()["data"]

for distro, stats in data["aggregates"].items():
    print(f"{stats['label']}: median {stats['medianDays']}d, p90 {stats['p90Days']}d, fix rate {stats['fixRate']}%")

Use Cases

• Distribution comparison: Compare patching speed across NixOS, Debian, Arch, etc.
• SLA tracking: Monitor whether your distro meets vulnerability SLAs
• Reporting: Generate time-to-fix trend reports for stakeholders

Caching

Data is computed every 30 minutes via cron.

Related Endpoints

• GET /api/v1/fix-etas - Predicted fix timelines for individual CVEs
• GET /api/v1/package-health - Package maintenance health scores
• GET /api/v1/fix-rate - Overall fix rate statistics