Interesting stat: they found ~6% of stockpiled vulnerabilities were independently rediscovered within a year. Q is what that tells us.
If you’re interested in vulnerability exploit policy, this is a must-read. Most extensive published data I’ve yet seen.https://twitter.com/RANDCorporation/status/839899849801682945 …
-
-
-
Note that 6% seems small, but it’s basically a lower bound - no way to know about vuls found and kept secret by others.
-
But it at least gives us some quantification of the risk of not reporting. Policy Q is how long not reporting is acceptable risk.
-
My sense is that this space is highly non-uniform, so over-interpreting the 6%/yr number is probably unwise. Need to find more factors.
-
But this is a very important hook for more research on both the technical and policy sides.
-
Not-very-bold prediction: the RAND study will be widely cited to make categorical statements that support opposite conclusions.
-
Is 6% a high risk or a low risk? Compare: "you have a 6% chance of getting a parking ticket” vs “6% chance of accidental nuclear explosion”.
- 3 more replies
New conversation -
-
-
oh hey just what we were talking about
@quinnnorton
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.