Paper - Cyber Security Project, Belfer Center
Taking Stock: Estimating Vulnerability Rediscovery
Abstract
Please see this post for an update from the authors on this paper.
+++++++++++++++++++++++++++++++++++++++++++++++++
How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.
This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just Android, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 20% within 90 days, and above 21% within 120 days. For the Chrome browser we found 12.57% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.
When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year. These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.
For more information on this publication:
Please contact
Cyber Project
For Academic Citation:
Herr, Trey, Bruce Schneier and Christopher Morris. “Taking Stock: Estimating Vulnerability Rediscovery.” Paper, Cyber Security Project, Belfer Center, July 2017.
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions
- Foreign Policy
Do Policy Schools Still Have a Point?
Report
- Belfer Center for Science and International Affairs
Democracy and the Liberal World Order Amid the Rise of Authoritarianism
Newspaper Article
- Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Report
- Belfer Center for Science and International Affairs and UiT The Arctic University of Norway
Arctic Climate Science: A Way Forward for Cooperation through the Arctic Council and Beyond
Journal Article
- Research Policy
The Relationship Between Science and Technology
Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It
Abstract
Please see this post for an update from the authors on this paper.
+++++++++++++++++++++++++++++++++++++++++++++++++
How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.
This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just Android, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 20% within 90 days, and above 21% within 120 days. For the Chrome browser we found 12.57% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.
When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year. These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Analysis & Opinions - Foreign Policy
Do Policy Schools Still Have a Point?
Report - Belfer Center for Science and International Affairs
Democracy and the Liberal World Order Amid the Rise of Authoritarianism
Newspaper Article - Harvard Gazette
Lessons for Today's Cold War 2.0 with Russia, China
In the Spotlight
Most Viewed
Report - Belfer Center for Science and International Affairs and UiT The Arctic University of Norway
Arctic Climate Science: A Way Forward for Cooperation through the Arctic Council and Beyond
Journal Article - Research Policy
The Relationship Between Science and Technology
Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It