Download this Paper Open PDF in Browser

Taking Stock: Estimating Vulnerability Rediscovery

Belfer Cyber Security Project White Paper Series

52 Pages Posted: 7 Mar 2017 Last revised: 28 Oct 2017

Trey Herr

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA)

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society; Harvard University - Harvard Kennedy School (HKS)

Christopher Morris

Harvard University - Harvard School of Engineering and Applied Sciences

Date Written: March 7, 2017

Abstract

How often do multiple, independent parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being rediscovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.

This paper presents a new dataset of more than 2,600 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more often than the 1% to 9% range previously reported. The aggregate rediscovery rate for our dataset is 12.7%, ranging between 10.8% for Chrome between 2009 and 2017, to 21.9% for Android between 2016 and 2017. For Android and Chrome, more than 60% of all rediscovery takes place in the first month after the original vulnerability’s disclosure.

These results are largely in line with those of the original version of this paper published in July 2017, and indicate that the information security community should map the impact of rediscovery on the efficacy of bug bounty programs, and policymakers should more rigorously evaluate the costs and requirements for non-disclosure of software vulnerabilities.

Keywords: software vulnerability, vulnerability rediscovery, information security economics

Suggested Citation

Herr, Trey and Schneier, Bruce and Morris, Christopher, Taking Stock: Estimating Vulnerability Rediscovery (March 7, 2017). Belfer Cyber Security Project White Paper Series . Available at SSRN: https://ssrn.com/abstract=2928758 or http://dx.doi.org/10.2139/ssrn.2928758

Trey Herr (Contact Author)

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA) ( email )

79 JFK Street
Cambridge, MA 02138
United States

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
Cambridge, MA 02138
United States

Harvard University - Harvard Kennedy School (HKS) ( email )

79 John F. Kennedy Street
Cambridge, MA 02138
United States

Christopher Morris

Harvard University - Harvard School of Engineering and Applied Sciences ( email )

29 Oxford Street
Cambridge, MA 02138
United States

Paper statistics

Downloads
1,503
Rank
9,447
Abstract Views
10,526