If one person can find a vulnerability, somebody else can, too. Andy Ozment [1] showed that "vulnerability rediscovery occurs 'in the wild' and that it is not particularly uncommon." Finifter and colleagues, reviewing a dataset of Chrome vulnerabilities, identified 15 out of 668 (2.25%) that had been independently discovered by multiple parties [2]. They go on to mention similar rates for Firefox vulnerabilities. Ablon and Bogart [3] studied a stockpile of zero day vulnerabilities, estimating that "after a year approximately 5.7 percent have been discovered and disclosed by others." Herr and Schneier [4] find browser vulnerabilities having rediscovery rates between 11% and 20% annually for the years 2013-2015. For Android vulnerabilities during the 2015-2016 timeframe, they found an annual rediscovery rate of 22%.
What is to be done when the CVD process is underway for a vulnerability, and a seemingly independent report of the same vulnerability arrives? One approach is to accelerate the disclosure timeline, possibly disclosing immediately. This approach assumes that if a vulnerability has been found and reported by multiple individuals acting independently, then it must be an easy vulnerability to find. This in turn implies that others who haven't reported it may also be aware of its existence, thereby increasing the likelihood of its availability to adversaries.
While we find this to be a reasonable conclusion, CVD participants should be wary of duplicate reports that are not independent. Truly independent discovery does yield some indication of the difficulty of finding a vulnerability. But vulnerability finders and security researchers talk to each other, and they sometimes hunt in the same places. An announcement of interesting vulnerabilities in a product can spur others to turn their attention and tools to that product. Even a casual "I've been looking at product X and found some interesting things" can put someone else on the hunt for vulnerabilities in product X. Any judgement of independence should consider the degree to which there is community interest in a product. As the popularity of products wax and wane through their lifespan, so too will security researcher attention.
An example of a coordination failure occurred during the vulnerability disclosure of Heartbleed. Two organizations, Codenomicon and Google, both discovered the vulnerability around the same time. When the vulnerability was reported a second time to the OpenSSL team, the team assumed a possible leak and the vulnerability was quickly disclosed publicly [5]. A more coordinated response may have allowed further remediation to be available immediately at disclosure time.
Even more insidious is a phenomenon we've observed in bug bounty scenarios. Because they pay for reports, bug bounties can unintentionally provide incentives for finders to share their reports with others prior to reporting, allowing multiple individuals to report the same bug, and potentially share in a larger payout. CVD is a social game: as such, its incentives affect participants' behavior.
Rather than prescribing a single rule that independent discovery should immediately trigger release of the vulnerability information, we suggest that CVD participants discuss the implications of rediscovery on a case-by-case basis in order to decide the best course of action for the particular case.
References
- A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting," in Workshop on Economics and Information Security, 2005.
- M. Finifter, D. Akhawe and D. Wagner, "An Empirical Study of Vulnerability Rewards Programs," in 22nd USENIX Security Symposium, 2013.
- L. Ablon and T. Bogart, "Zero Days, Thousands of Nights," RAND Corporation, 2017.
- T. Herr and B. Schneier, "Taking Stock: Estimating Vulnerability Rediscovery," 7 March 2017. [Online]. Available: https://ssrn.com/abstract=2928758. [Accessed 16 May 2017].
- B. Grubb, "Heartbleed disclosure timeline: who knew what and when," The Sydney Morning Herald, 15 April 2014. [Online]. Available: http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html. [Accessed 23 May 2017].