Taking Stock: Estimating Vulnerability Rediscovery

22 Pages Posted: 7 Mar 2017 Last revised: 31 May 2017

Trey Herr

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA)

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society; Harvard University - Harvard Kennedy School (HKS)

Christopher Morris

Harvard University - Harvard School of Engineering and Applied Sciences

Date Written: March 7, 2017

Abstract

How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.

This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens far more often than previously estimated. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just the Android sample, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 19% within 90 days, and above 21% within 120 days. Chrome sees a 12.87% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.

When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of one-third or more of all zero-day vulnerabilities discovered annually. These results suggest that the information security community needs to consider the impact of rediscovery on the efficacy of bug bounty programs, and policymakers should make greater efforts to rigorously evaluate the costs of, and requirements for, non-disclosure of software vulnerabilities.

Keywords: software vulnerability, vulnerability rediscovery, information security economics

Suggested Citation

Herr, Trey and Schneier, Bruce and Morris, Christopher, Taking Stock: Estimating Vulnerability Rediscovery (March 7, 2017). Available at SSRN: https://ssrn.com/abstract=2928758 or http://dx.doi.org/10.2139/ssrn.2928758

Trey Herr (Contact Author)

Harvard Kennedy School (HKS), Belfer Center for Science and International Affairs (BCSIA) ( email )

79 JFK Street
Cambridge, MA 02138
United States

Bruce Schneier

Harvard University - Berkman Klein Center for Internet & Society ( email )

Harvard Law School
Cambridge, MA 02138
United States

Harvard University - Harvard Kennedy School (HKS) ( email )

79 John F. Kennedy Street
Cambridge, MA 02138
United States

Christopher Morris

Harvard University - Harvard School of Engineering and Applied Sciences ( email )

29 Oxford Street
Cambridge, MA 02138
United States

Paper statistics

Downloads
1,360
Rank
10,496
Abstract Views
9,461