22 Pages Posted: 7 Mar 2017
Date Written: March 7, 2017
There is virtually no existing scholarly work regarding the proportion of vulnerabilities that are discovered by multiple, independent, parties. This lack of knowledge is a problem for the policy community, where the decision to disclose vulnerabilities known to the government hinges in part on that vulnerability’s likelihood of being rediscovered and used by a malicious party. Research into the behavior of malicious software markets is similarly hamstrung without a baseline estimate for how often sellers will need to renew their stock. This paper presents a new dataset estimating vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens far more often than previously estimated. Between 15% and 20% of all vulnerabilities in browsers have at least one duplicate. For data available on Android between 2015 and 2016, 22% of vulnerabilities are rediscovered at least once an average of 2 months after their original disclosure. There are reasons to believe that the actual rate is even higher for certain types of software.
Keywords: software vulnerability, vulnerability rediscovery, information security economics
Suggested Citation: Suggested Citation