PINDROP BLOG

To Disclose or Not to Disclose

LAS VEGAS–The people in the security community are good at many things, but reaching consensus is not one of them. That is never more clear than when the topic is vulnerabilities and how to handle them.

The last year has seen the publication of a couple of studies on vulnerability discovery and disclosure and how common it is for more than one researcher to find a given vulnerability over time. The studies rely on independent data sets and are naturally constrained by a lack of access to data on private vulnerability caches, such as those owned by intelligence agencies. But they have provided some insight into what the probability is of multiple people to find the same bug at some point, a phenomenon that is a key point in many discussions about whether government agencies should be holding onto the bugs they find or disclosing them to affected vendors.

One of those studies, done by Harvard’s Kennedy School and published this month, looked at a data set of 4,300 vulnerabilities in various pieces of software. The researchers found that between 15 and 20 percent of the vulnerabilities in their data set were rediscovered within a year, a rate that’s significantly higher than most previous estimates. The idea of rediscovery by multiple parties is one of the main points that people use when arguing that the government should disclose the flaws that it finds rather than keeping them for use by intelligence agencies.

“It’s much more beneficial to err on the side of disclosure.”

“When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year,” the Harvard paper’s abstract says.

During a panel at the Black Hat conference here Thursday, several experts–including one of the authors of the Harvard paper–debated the topic. And came to no consensus. A big sticking point in the debate was the relative scarcity or density of vulnerabilities in software and how valuable any given bug is, both to a nation and to the general public that could be affected by it. Katie Moussouris, CEO of Luta Security and a former Microsoft security engineer, advocated for more government disclosure of vulnerabilities, saying that policy would do the most good for the most people.

“It’s much more beneficial to err on the side of disclosure. If we’re playing a game of capture the flag and we all have the same flags, what do you think is the smart thing to do?” she said.

The United States government has a formal policy that is designed to dictate how its agencies handle decisions about when to disclose a new vulnerability and when to hold on to it. The Vulnerabilities Equities Process, established during the Obama administration, lays out the factors that should govern when and how agencies disclose flaws. But critics have said it’s not comprehensive enough and that it leaves room for agencies to skirt it. And in the end, it only applies to federal agencies and has no real effect on how enterprises and users go about their business each day.

“The VEP is distinct from the patching process in companies. We’re not going to change vendor behavior just by debating when the government should disclose a vulnerability,” said Trey Herr, a fellow at the Belfer Center Cyber Security Project at Harvard’s Kennedy School.