52 Pages Posted: 7 Mar 2017 Last revised: 28 Oct 2017

Date Written: March 7, 2017

Abstract

How often do multiple, independent parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government’s decision to disclose a given vulnerability hinges in part on that vulnerability’s likelihood of being rediscovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.

This paper presents a new dataset of more than 2,600 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more often than the 1% to 9% range previously reported. The aggregate rediscovery rate for our dataset is 12.7%, ranging between 10.8% for Chrome between 2009 and 2017, to 21.9% for Android between 2016 and 2017. For Android and Chrome, more than 60% of all rediscovery takes place in the first month after the original vulnerability’s disclosure.

These results are largely in line with those of the original version of this paper published in July 2017, and indicate that the information security community should map the impact of rediscovery on the efficacy of bug bounty programs, and policymakers should more rigorously evaluate the costs and requirements for non-disclosure of software vulnerabilities.