22 Pages Posted: 7 Mar 2017 Last revised: 31 May 2017
Date Written: March 7, 2017
How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.
This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens far more often than previously estimated. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just the Android sample, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 19% within 90 days, and above 21% within 120 days. Chrome sees a 12.87% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.
When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of one-third or more of all zero-day vulnerabilities discovered annually. These results suggest that the information security community needs to consider the impact of rediscovery on the efficacy of bug bounty programs, and policymakers should make greater efforts to rigorously evaluate the costs of, and requirements for, non-disclosure of software vulnerabilities.
Keywords: software vulnerability, vulnerability rediscovery, information security economics
Suggested Citation: Suggested Citation
Herr, Trey and Schneier, Bruce and Morris, Christopher, Taking Stock: Estimating Vulnerability Rediscovery (March 7, 2017). Available at SSRN: https://ssrn.com/abstract=2928758 or http://dx.doi.org/10.2139/ssrn.2928758