Three years ago I released a tool called PHP Version Audit. The idea is that it parses the PHP changelog and notifies you if you are running a PHP version that has a CVE or has lost support.<p>Anyways, after running for three years, I thought it would be fun to put together some data. The most interesting one is that PHP Version Audit has a median CVE discovery of 5 hours after the PHP announcement. In contrast, the NVE CVE Database has a median of 260 hours - or almost 11 days. Of course the NVE CVE Database has all sorts of information like a vulnerability score, so maybe it’s an apples vs. oranges comparison. Anyways, I hope someone else finds this interesting :)<p>If you think PHP Version Audit is interesting, there is also Node Version Audit[0] that I released earlier this year.<p>0: <a href="https://www.github.developerdan.com/node-version-audit/" rel="nofollow">https://www.github.developerdan.com/node-version-audit/</a>