This paper presents a new dataset of more than 2,600 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It is an update to the original publication, from July 2017. 

Where does malicious software - the code designed to exploit the vulnerabilities of computers and computer systems - come from?

As President Trump increasingly boxes in Tehran, U.S. allies should be worried about the potential for a devastating cyberattack from the Islamic Republic.

What is the likelihood that multiple parties will independently discover the same software vulnerability? Herr and Schneier discuss their recent paper "Taking Stock: Estimating Vulnerability Rediscovery." 

This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported.

Understanding the levels of conflict - strategy, operations, and tactics - can help policymakers mitigate the effectiveness of a disinformation campaign. Russia's operation against the 2016 U.S. election is case in point.

This article compares state activities to control the international spread of malware with efforts to counter the proliferation of weapons of mass destruction (WMD).

Trey Herr discusses what proliferation looks like in cyberspace: someone writes a piece of malware, a third party finds it, adapts it, adds in some of their own code or that from an open source project …et voila, a new piece of malware is born. This latest epidemic is based on a commonly used ransomware, combined with a modified version of the NSA’s leaked exploit, and tied together with some new encryption functionality and part of an open source security tool.

Malicious software is adapted, stolen, bought, and used everyday on a global scale. There are better ways to counter this proliferation than export controls. Policymakers should strengthen incentives for researchers and the private sector to rapidly identify software vulnerabilities, disclose them to developers, patch those vulnerabilities, and adopt those patches. Building on previous debates, this paper makes specific recommendations to shorten the lifecycle of vulnerabilities and improve the short term health of the software security ecosystem.