Taking Stock: Estimating Vulnerability Rediscovery

22 Pages Posted: 7 Mar 2017  

Trey Herr

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA)

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society; Harvard University - Harvard Kennedy School (HKS)

Date Written: March 7, 2017

Abstract

There is virtually no existing scholarly work regarding the proportion of vulnerabilities that are discovered by multiple, independent, parties. This lack of knowledge is a problem for the policy community, where the decision to disclose vulnerabilities known to the government hinges in part on that vulnerability’s likelihood of being rediscovered and used by a malicious party. Research into the behavior of malicious software markets is similarly hamstrung without a baseline estimate for how often sellers will need to renew their stock. This paper presents a new dataset estimating vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens far more often than previously estimated. Between 15% and 20% of all vulnerabilities in browsers have at least one duplicate. For data available on Android between 2015 and 2016, 22% of vulnerabilities are rediscovered at least once an average of 2 months after their original disclosure. There are reasons to believe that the actual rate is even higher for certain types of software.

Keywords: software vulnerability, vulnerability rediscovery, information security economics

Suggested Citation

Herr, Trey and Schneier, Bruce, Taking Stock: Estimating Vulnerability Rediscovery (March 7, 2017). Available at SSRN: https://ssrn.com/abstract=2928758 or http://dx.doi.org/10.2139/ssrn.2928758

Trey Herr (Contact Author)

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA) ( email )

79 JFK Street
Cambridge, MA 02138
United States

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
Cambridge, MA 02138
United States

Harvard University - Harvard Kennedy School (HKS) ( email )

79 John F. Kennedy Street
Cambridge, MA 02138
United States

Paper statistics

Downloads
1,158
Rank
13,347
Abstract Views
7,640