The dataset is organized into two separate CSV files. Below, we provide descriptions of the variables within each of these files.

vendor_data.csv:
This CSV file includes vendor characteristics for each of the 104 vendors featured in the dataset. The variables contained in this file are:
	•	vendor_name: Vendor name
	•	number_cve: Number of CVEs per vendor
	•	number_iot_cve: Number of CVEs classified as IoT per vendor
	•	number_vuln_prod: Number of vulnerable products per vendor
	•	number_iot_vuln_prod: Number of IoT vulnerable products per vendor
	•	iot_ratio: Ratio of IoT vulnerable products (number_iot_vuln_prod) to number of vulnerable products 9 (number_vuln_prod) per vendor
	•	number_employees: Number of employees per vendor
	•	revenue_usd: Revenue (USD) per vendor
	•	number_devices: Number of device manuals per vendor
	•	vdp: A dummy variable that indicates the existence of a Vulnerability Disclosure Policy (VDP)
	•	bug_bounty: A dummy variable that indicates the existence of a bug bounty program
	•	age: Number of years the vendor has been in the market. The age was calculated as the number of years between the vendor’s foundation year and 2022
	•	hq_americas: A dummy variable that indicates whether the vendor's main headquarters is located in The Americas or not
	•	hq_asia_oceania: A dummy variable that indicates whether the vendor’s main headquarters is located in Asia and Oceania or not
	•	hq_europe: A dummy variable that indicates whether the vendor’s main headquarters is located in Europe or not

patch_data.csv
This file comprises information about the availability and timeliness of patches for a selection of 2,741 vulnerabilities, encompassing both IoT and non-IoT categories, associated with our group of 104 vendors. The variables contained in this file are:
	•	cve: CVE identifier
	•	vendor_name: Vendor name
	•	patch_availability: A dummy variable that indicates whether a patch for a vulnerability is available or not
	•	patch_release_date: If a patch is available, this variable indicates the date on which the patch was released
	•	patch_timeliness: A dummy variable that indicates if the patch for the vulnerability was released on or before the publication date of the vulnerability in the NVD
	•	advice_availability: A dummy variable that indicates whether a mitigation advice for a vulnerability is available or not
	•	advice_release_date: If a mitigation advice is available, this variable indicates the date on which the advice was released
	•	cve_published_date: The date the vulnerability was published in the NVD
	•	vulnerability_type: A dummy variable indicating whether a vulnerability is classified as IoT or not
	•	severity_score: Severity score of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) version 3.0
	•	exploit_poc_availability: A dummy variable that indicates the existence of an exploit Proof-of-Concept (PoC) or not
	•	vuln_prod_os: A dummy variable that indicates whether the affected product is an Operative System (OS) or not
	•	vuln_prod_app: A dummy variable that indicates whether the affected product is an application or not
	•	vuln_prod_hw: A dummy variable that indicates whether the affected product is a hardware or not

