Saturday, February 1, 2014

Of Vulnerabilities and Bullets

Where I explain why no-one cares about the vulnerability you found.

I've had many people try to convince me that infosec vulnerabilities are the base unit of infosec.  My experience is that vulnerabilities are something, but not much.

But lets talk guns.  Everyone has heard the saying, "Guns don't kill people, people kill people."  Probably more accurate would be that bullets kill people, but only in very specific situations.  There must be a gun, a target (in the same area) and a threat actor to pull the trigger to go with that bullet.

Vulnerabilities are about the same thing.  Vulnerabilities are like bullets.  They play a part, but no more.  The same way their are innumerable bullets out there yet very few ever kill people, there are innumerable vulnerabilities, yet very few are used to realize a risk.   This is because, just like a bullet, a vulnerability must exist in a greater context that makes it part of a risk that a threat actor can exploit and an impact that matters.  And of course the threat actor must exist to pull the trigger.

So, as a security researcher, if you feel that your vulnerabilities are not taken seriously, don't just consider the vulnerability when presenting it.  Consider the context the vulnerability is likely to exist in.  Consider whether a threat actor even exists to exploit the vulnerability.

If they do, convince people.  Show them where similar vulnerabilities have been exploited by threat actors.  Show them where the vulnerability helps known threat actors realize their stated goals.  Show them how the only part of the context preventing exploitation is that the threat actor simply hasn't made it to their organization.

Only then will the vulnerability matter.