But there is another more important aspect to security research that gets ignored quite frequently – risk. I believe that if not all, then almost all “whitehat” security researchers are focused on the vulnerability part of the risk equation in their attempts to reduce risk. But the ultimate consequences, in the form of compromises, is largely overlooked. So the real pertinent question about whether vulnerability discovery and disclosure “works for the greater good” is not if vulnerabilities are reduced; it is whether incidents and the likelihood of future incidents are reduced. That is not clear to me at all. [Note that there is an even more granular notion of cost here that probably isn’t worth getting into at this point.]Very good points there. From largely anecdotal evidence it is easy to deduct that full disclosure in fact increases risks whilst reducing (or at least disclosing) vulnerabilities. How?
Proponents (practitioners?) of FAIR know that risk has two factors: probable loss magnitude (how much is this whole thing going to cost me), and loss event frequency. Full disclose does very little to probable loss magnitude; what it influences is loss event frequency. How?
Loss event frequency consists of two factors:
- Threat event frequency; and
Vulnerability consists of two factors: control strength; and threat capability. Full disclosure strengthens both factors, however the strength may not be equal on both sides. First to consider is timing: full disclosure will benefit the threat agents first. Threat agents get wholesale increase because full disclosure provides them with vital information on where the vulnerability is, what the vulnerability is, how it can be exploited, etc. Only later, or in some cases much, much later or never, does the control strength increase: patches, work-arounds, etc. take time to complete. Time between the release of vulnerability information and the release of effective and efficient controls is the time where vulnerability is increased. During this time threat event frequency increases as well. Vulnerability reaches balance once again when effective and efficient controls are put in place for all affected systems. If that never happens then full disclosure already irreversibly increased risk to the system owners.But it doesn’t stop just with vulnerability. Threat event frequency is increased exponentially from the moment vulnerability information is made publicly available. People that will find out about the vulnerability due to full disclosure fall into many camps, but we are really interested in two:
- those that can use this information to circumvent controls; and
- those that can use this information to bolster their controls.
Vendors need to ensure that their patches work for a range of customers with wildly different systems and ways of using their product. All threat agents need to ensure is that their exploit code works for a small subset of potential targets and they’re ready to cast their net. Threat agents don’t need to ensure their exploit code works for every system they’re likely to encounter. They don’t even need to ensure that their exploit code is going to work against a majority of target systems; so long as they can get a decent subset of target systems exploited they have achieved their goal.So?
In the old, pre-full disclosure, times vulnerabilities were disclosed to the vendors who, at their discretion, fixed or ignored security weaknesses. Customers were happy to use their systems blissfully unaware of any vulnerabilities. Threat agents were happy doing whatever it is threat agents do when there is no easy to consume information available on vulnerable systems: researching how to get ahead in computer game of their choice, learning to play ukulele, participating in a religious war on Usenet, …When full disclosure thundered on the scene all that changed: threat agents multiplied; average threat capability increased; threat event frequency grew exponentially - all thanks to easy access to timely information on fresh vulnerabilities that were largely guaranteed to remain exploitable for at least a week.