Paper - Cyber Security Project, Belfer Center
Taking Stock: Estimating Vulnerability Rediscovery
Abstract
Please see this post for an update from the authors on this paper.
+++++++++++++++++++++++++++++++++++++++++++++++++
How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.
This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just Android, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 20% within 90 days, and above 21% within 120 days. For the Chrome browser we found 12.57% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.
When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year. These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.
For more information on this publication:
Please contact
Cyber Project
For Academic Citation:
Herr, Trey, Bruce Schneier and Christopher Morris. “Taking Stock: Estimating Vulnerability Rediscovery.” Paper, Cyber Security Project, Belfer Center, July 2017.
The Authors
Bruce Schneier
- Adjunct Lecturer in Public Policy, Harvard Kennedy School
- Fellow, Cyber Project
Christopher Morris
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- Lawfare
Backdoor in XZ Utils That Almost Happened
Analysis & Opinions
- Lawfare
Building a Cyber Insurance Backstop Is Harder Than It Sounds
Analysis & Opinions
- cyberscoop
CFPB’s Proposed Data Rules Would Improve Security, Privacy and Competition
In the Spotlight
Most Viewed
Analysis & Opinions
- New Straits Times
Gorbachev and the End of the Cold War
Policy Brief
- Quarterly Journal: International Security
Oil, Conflict, and U.S. National Interests
Analysis & Opinions
- Carnegie Endowment for International Peace
Iran and Israel's Dangerous Gambit
Abstract
Please see this post for an update from the authors on this paper.
+++++++++++++++++++++++++++++++++++++++++++++++++
How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.
This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just Android, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 20% within 90 days, and above 21% within 120 days. For the Chrome browser we found 12.57% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.
When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year. These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.
The Authors
Bruce Schneier
- Adjunct Lecturer in Public Policy, Harvard Kennedy School
- Fellow, Cyber Project
Christopher Morris
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - Lawfare
Backdoor in XZ Utils That Almost Happened
Analysis & Opinions - Lawfare
Building a Cyber Insurance Backstop Is Harder Than It Sounds
Analysis & Opinions - cyberscoop
CFPB’s Proposed Data Rules Would Improve Security, Privacy and Competition
In the Spotlight
Most Viewed
Analysis & Opinions - New Straits Times
Gorbachev and the End of the Cold War
Policy Brief - Quarterly Journal: International Security
Oil, Conflict, and U.S. National Interests
Analysis & Opinions - Carnegie Endowment for International Peace
Iran and Israel's Dangerous Gambit
