Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures

The contributions of this article are as follows:

A discussion of how the model could be applied to benchmarks and multiparty coordination follows in Section 8. Section 9 describes the limitations of the approach and lays out future work to improve it. Section 10 surveys related work, and Section 11 summarizes and concludes.

Before we discuss either possible histories (Section 3) or desirable histories (Section 4) in the vulnerability life cycle, we need to formally define our terms. In all these definitions, we take standard Zermelo–Fraenkel set theory. The concept of sequences extends set theory to include a concept of ordered sets. From them, we adopt the following notation:

From Table 1, we define the set of events \(E\)

A sequence \(s\) is an ordered set of some number of events \(e_i \in E\) for \(1 \le i \le n\) and the length of \(s\) is \(|s| \stackrel{\mathsf {def}}{=}n\).

A valid vulnerability coordination history \(h\) is a sequence \(s\) containing one and only one of each of the event types in \(E\); by definition \(|h| = |E| = 6\). Note this is a slight abuse of notation; \(|\textrm { }|\) represents both sequence length and the cardinality of a setwhere two members of the set \(E\) are equal if they are represented by the same symbol and not equal otherwise. The set of all possible histories, \(S_H\), is a set of all the sequences \(h\) that satisfy this definition.

We model event frequency with a simple state-based model of the possible histories \(h \in H\) in which each state is a binary vector indicating which events \(e \in E\) have occurred prior to reaching that state. The events \(e \in E\) therefore represent state transitions, and the histories \(h \in H\) are paths (traces) through the states. This meets the definition above because each \(e \in E\) is unique (mutually exclusive) and the set of available \(e\) at each step of the way is exhaustive. Let \(E^h_{i+1}\) be the set of possible next events following the \(i\)th event in history \(h\), which is a subset of all possible events: \(E^h_{i+1} \subseteq E\). The fragment of a history \(h\) up to its \(i\)th element is a sequence, which contains the first \(i\) events of \(h\), denoted as \(h_i\). The initial case \(h_0 \stackrel{\mathsf {def}}{=}\emptyset\). The probability of transition from \(e_i\) to any of the possible next events \(e_{i+1}\), where \(e_{i+1}\in E^h_{i+1}\), is defined, based on the principle of indifference, as the inverse of the cardinality of the set of possible states, namely:

For example, because Equation (4) requires \(V \prec F\) and \(F \prec D\), only four of the six events in \(E\) are possible at the beginning of a history: \(\lbrace V,P,X,A\rbrace\). Therefore, \(p(F|\emptyset) = p(D|\emptyset) = 0\). Since the principle of indifference assigns each possible transition event as equally probable in this model of unskilled CVD, we assign an initial probability of 0.25 to each possible event (\(p(V|\emptyset) = p(P|\emptyset) = p(X|\emptyset) = p(A|\emptyset) = 0.25\)). From there, we see that the other rules dictate possible transitions from each subsequent state. For example, Equation (5) says that any \(h\) starting with \(P\) must start with \(PV\). And Equation (6) requires any \(h\) starting with \(X\) must proceed through \(XP\) and again Equation (5) gets us to \(XPV\). Therefore, we expect histories starting with \(PV\) or \(XPV\) to occur with frequency 0.25 as well.

We apply the principle of indifference to the available events (\(E^h_{i+1} \subseteq E\)) at each state \(i\) for each of the possible histories to compute the expected frequency of each history, which we denote as \(f_h\). The frequency of a history \(f_h\) is the cumulative product of the probability \(p\) of each event \(e\) in the history \(h\). We are only concerned with histories that meet our sequence constraints, namely, \(h \in H\)

Table 2 displays the value of \(f_h\) for each history. Having an expected frequency (\(f_h\)) for each history \(h\) will allow us to examine how often we might expect our desiderata \(d \in \mathbb {D}\) to occur across \(H\).

Choosing uniformly over event transitions is more useful than treating the six-element histories as uniformly distributed. For example, \(P \prec A\) in 59% of valid histories, but when histories are weighted by the assumption of uniform state transitions \(P \prec A\) is expected to occur in 67% of the time. These differences arise due to the dependencies between some states. Since CVD practice is comprised a sequence of events, each informed by the last, our uniform distribution over events is more likely a useful baseline than a uniform distribution over histories.

Each of the event pair orderings in Table 3 can be treated as a Boolean condition that either holds or does not hold in any given history.

In Section 5.2, we described how to compute the expected frequency of each history (\(f_h\)) given the presumption of indifference to possible events at each step. We can use \(f_h\) as a weighting factor to compute the expected frequency of event orderings (\(e_i \prec e_j\)) across all possible histories \(H\). Equations (13) and (14) define the frequency of an ordering \(f_{e_i \prec e_j}\) as the sum over all histories in which the ordering occurs (\(H^{e_i \prec e_j}\)) of the frequency of each such history (\(f_h\)) as shown in Table 2.

Table 4 displays the results of this calculation. Required event orderings have an expected frequency of 1, while impossible orderings have an expected frequency of 0. As defined in Section 4, each desiderata \(d \in \mathbb {D}\) is specified as an event ordering of the form \(e_i \prec e_j\). We use \(f_d\) to denote the expected frequency of a given desiderata \(d \in \mathbb {D}\). The values for the relevant \(f_d\) appear in the upper right of Table 4. Some event orderings have higher expected frequencies than others. For example, vendor awareness precedes attacks in 3 out of 4 histories in a uniform distribution of event transitions (\(f_{V \prec A} = 0.75\)), whereas fix deployed prior to public awareness holds in less than 1 out of 25 (\(f_{D \prec P} = 0.037\)) histories generated by a uniform distribution over event transitions.

Any observations of phenomena in which we measure the performance of human actors can attribute some portion of the outcome to skill and some portion to chance [15, 26]. It is reasonable to wonder whether good outcomes in CVD are the result of luck or skill. How can we tell the difference?

We begin with a simple model in which outcomes \(o\) are a combination of luck and skill,

In other words, outcomes due to skill are what remain when you subtract the outcomes due to luck from the outcomes you observe. In this model, we treat luck as a random component: the contribution of chance. In a world where neither attackers nor defenders held any advantage and events were chosen uniformly from \(E\) whenever they were possible, we would expect to see the preferred orderings occur with probability equivalent to their frequency \(f_d\) as shown in Table 4.

Skill, on the other hand, accounts for the outcomes once luck has been accounted for. So the more likely an outcome is due to luck, the less skill we can infer when it is observed. As an example, from Table 4 we see that fix deployed before the vulnerability is public is the rarest of our desiderata with \(f_{D \prec P} = 0.037\), and thus exhibits the most skill when observed. On the other hand, vendor awareness before attacks is expected to be a common occurrence with \(f_{V \prec A} = 0.75\).

We can therefore use the set of \(f_d\) to construct a partial order over \(\mathbb {D}\) in which we prefer desiderata \(d,\) which are more rare (and therefore imply more skill when observed) over those that are more common. We create the partial order on \(\mathbb {D}\) as follows: for any pair \(d_1,d_2 \in \mathbb {D}\), we say that \(d_2\) exhibits less skill than \(d_1\) if \(d_2\) occurs more frequently in \(H\) than \(d_1\)

Note that the inequalities on the left and right sides of Equation (16) are flipped because skill is inversely proportional to luck. Also, while \(\le _{\mathbb {D}}\) on the left side of Equation (16) defines a preorder over the poset \(H\), the \(\stackrel{\mathbb {R}}{\ge }\) is the usual ordering over the set of real numbers. The result is a partial order \((\mathbb {D},\le _{\mathbb {D}})\) because a few \(d\) have the same \(f_d\) (\(f_{F \prec X} = f_{V \prec P} = 0.333,\) for example). The full Hasse Diagram for the partial order \((\mathbb {D},\le _{\mathbb {D}})\) is shown in Figure 2.

Next we develop a new partial order on \(H\) given the partial order \((\mathbb {D},\le _{\mathbb {D}})\) just described. We observe that \(\mathbb {D}^{h}\) acts as a Boolean vector of desiderata met by a given \(h\). Since \(0 \le f_d \le 1\), simply taking its inverse could in the general case lead to some large values for rare events, so for convenience we use \(log(1/f_d)\) as our proxy for skill. Taking the dot product of \(\mathbb {D}^h\) with the set of \(log(1/f_d)\) represented as a vector, we arrive at a single value representing the skill exhibited for each history \(h\). Careful readers may note that this value is equivalent to the Term Frequency—Inverse Document Frequency (TF-IDF) score for a search for the “skill terms” represented by \(\mathbb {D}\) across the corpus of possible histories \(H\).

We have now computed a skill value for every \(h \in H\), which allows us to sort \(H\) and assign a rank to each history \(h\) contained therein. The rank is shown in Table 2. Rank values start at 1 for least skill up to a maximum of 62 for most skill. Owing to the partial order \((\mathbb {D},\le _{\mathbb {D}})\), some \(h\) have the same computed skill values, and these are given the same rank.

The ranks for \(h \in H\) lead directly to a new poset \((H,\le _{\mathbb {D}})\), which is an extension of and fully compatible with \((H,\le _{H})\) as developed in Section 4. The resulting Hasse Diagram would be too large to reproduce here. Instead, we include the resulting rank for each \(h\) as a column in Table 2. In the table, rank is ordered from least desirable and skillful histories to most. Histories having identical rank are incomparable to each other within the poset. The refined poset \((H,\le _{\mathbb {D}})\) is much closer to a total order on \(H\), as indicated by the relatively few histories having duplicate ranks.

The remaining incomparable histories are the direct result of the incomparable \(d\) in \((\mathbb {D},\le _{\mathbb {D}})\), corresponding to the branches in Figure 2. Achieving a total order on \(\mathbb {D}\) would require answering the following: Assuming you could achieve only one, and without regard to any other \(d \in \mathbb {D}\), would you prefer

Recognizing that readers may have diverse opinions on all three questions, we leave further analysis of the answers to these as future work.

This is just one example of how poset refinements might be used to order \(H\). Different posets on \(\mathbb {D}\) would lead to different posets on \(H\). For example, one might construct a different poset if certain \(d\) were considered to have much higher financial value when achieved than others.

Although Equation (18) develops a skill metric from observed frequencies, our observations will in fact be based on counts. Observations consist of some number of successes \(S_d^{o}\) out of some number of trials \(T\), i.e.,We likewise revisit our interpretation of \(f_d\)where \(S_d^l\) is the number of successes at \(d\) we would expect due to luck in \(T\) trials.

Substituting Equations (20) and (21) into Equation (18), and recalling that \(p_s = 1\) because a maximally skillful player succeeds in \(T\) out of \(T\) trials, we get

Rearranging Equation (21) to \(S_d^l = {f_d}T\), substituting into Equation (22), and simplifying, we getHence, for any of our desiderata \(\mathbb {D}\) we can compute \(\alpha _d\) given \(S_d^o\) observed successes out of \(T\) trials in light of \(f_d\) taken from Table 4.

Before we address the data analysis we take a moment to discuss uncertainty.

We have already described the basis of our \(f_d^{obs}\) model in the binomial distribution. While we could just estimate the error in our observations using the binomial’s variance \(np(1-p)\), because of boundary conditions at 0 and 1 we should not assume symmetric error. An extensive discussion of uncertainty in the binomial distribution is given in [9].

However, for our purpose the Beta distribution lends itself to this problem nicely. The Beta distribution is specified by two parameters \((a,b)\). It is common to interpret \(a\) as the number of successes and \(b\) as the number of failures in a set of observations of Bernoulli trials to estimate the mean of the binomial distribution from which the observations are drawn. For any given mean, the width of the Beta distribution narrows as the total number of trials increases.

We use this interpretation to estimate a 95% credible interval for \(f_d^{obs}\) using a Beta distribution with parameters \(a = S_d^o\) as successes and \(b = T - S_d^o\) representing the number of failures using the scipy.stats.beta.interval function in Python. This gives us an upper and lower estimate for \(f_d^{obs}\), which we multiply by \(T\) to get upper and lower estimates of \(S_d^o\) as in Equation (20).

We are now ready to proceed with our data analysis. First, we examine Microsoft’s monthly security updates for the period between March 2017 and May 2020, as curated by the Zero Day Initiative (ZDI) blog.³ Figure 3(a) shows monthly totals for all vulnerabilities, while Figure 3(b) has monthly observations of \(P \prec F\) and \(A \prec F\). This dataset allowed us to compute the monthly counts for \(F \prec P\) and \(F \prec A\).

One benefit of this definition of possible CVD histories in Section 3 is an opportunity to clarify definitions of related terms. While not a focus of the analysis in this article, a brief comment on different interpretations of the term “zero day vulnerability” is helpful at this point. For example, one reviewer stated they prefer to define “zero day vulnerability” as \(X \prec V\) and not \((P \prec F\) or \(A \prec F)\). We should seek these precise definitions because sometimes both \(X \prec V\) and \(P \prec F\), in which case two people might agree that an instance is a zero day without understanding they disagree on the definition. We do not disagree with the reviewer that \(X \prec V\) is a definition of zero day, it just is not the one we are using for this analysis, since \((P \prec F\) or \(A \prec F)\) is what ZDI used as their definition. For example, perhaps \(X \prec V\) is a zero day for a software vendor whereas \((P \prec F\) or \(A \prec F)\) is a zero day from the perspective of a system owner. An extended version of this article brings additional formalism to the various definitions of “zero day” [21]. However, for present purposes the ability to accurately and cleanly state our definition is enough.

Observations of \(F \prec P\): In total, Microsoft issued patches for 2,694 vulnerabilities; 2,610 (0.97) of them met the fix-ready-before-public-awareness (\(F \prec P\)) objective. The mean monthly \(\alpha _{F \prec P} = 0.967\), with a range of [0.878, 1.0]. We can also use the cumulative data to estimate an overall skill level for the observation period, which gives us a bit more precision on \(\alpha _{F \prec P} = 0.969\) with the 0.95 interval of [0.962, 0.975]. Figure 4(a) shows the trend for both the monthly observations and the cumulative estimate of \(\alpha _{F \prec P}\).

Observations of \(F \prec A\): Meanwhile, 2,655 (0.99) vulnerabilities met the fix-ready-before-attacks-observed (\(F \prec A\)) criteria. Thus, we compute a mean monthly \(\alpha _{F \prec A} = 0.976\) with range [0.893, 1.0]. The cumulative estimate yields \(\alpha _{F \prec A} = 0.986\) with an interval of [0.980, 0.989]. The trend for both is shown in Figure 4(b).

Inferring Histories from Observations: Another possible application of our model is to estimate unobserved \(\alpha _d\) based on the cumulative observations of both \(f_{F \prec P}^{obs}\) and \(f_{F \prec A}^{obs}\) above. Here, we estimate the frequency \(f_d\) of the other \(d \in \mathbb {D}\) for this period. Our procedure is as follows:

As one might expect given the causal requirement that vendor awareness precedes fix availability, the estimated values of \(\alpha _d\) are quite high (\(0.96-0.99\)) for our desiderata involving either \(V\) or \(F\). We also estimate that \(\alpha _d\) is positive—indicating that we are observing skill over and above mere luck—for all \(d\) except \(P \prec A\) and \(X \prec A,\) which are slightly negative. The results are shown in Figure 5. The most common sample median history rank across all runs is 53, with all sample median history ranks falling between 51–55. The median rank of possible histories weighted according to the assumption of equiprobable transitions is 11. We take this as evidence that the observations are indicative of skill.

Next, we examine the overall trend in \(P \prec X\) for commodity exploits between 2015 and 2019. The dataset is based on the National Vulnerability Database [32], in conjunction with the CERT Vulnerability Data Archive [11]. Between these two databases, a number of candidate dates are available to represent the date a vulnerability was made public. We use the minimum of these as the date for \(P\).

To estimate the exploit availability (\(X\)) date, we extracted the date a CVE-ID appeared in the git logs for Metasploit [36] or Exploitdb [33]. When multiple dates were available for a CVE-ID, we kept the earliest. Note that commodity exploit tools such as Metasploit and Exploitdb represent a non-random sample of the exploits available to adversaries. These observations should be taken as a lower bounds estimate of exploit availability, and therefore an upper bounds estimate of observed desiderata \(d\) and skill \(\alpha _d\).

During the time period from 2013–2019, the dataset contains 73,474 vulnerabilities. Of these, 1,186 were observed to have public exploits (\(X\)) prior to the earliest observed vulnerability disclosure date (\(P\)), giving an overall success rate for \(P \prec X\) of 0.984. The mean monthly \(\alpha _{P \prec X}\) is 0.966 with a range of [0.873, 1.0]. The volatility of this measurement appears to be higher than that of the Microsoft data. The cumulative \(\alpha _{P \prec X}\) comes in at 0.968 with an interval spanning [0.966, 0.970]. A chart of the trend is shown in Figure 6.

To estimate unobserved \(\alpha _d\) from the commodity exploit observations, we repeat the procedure outlined in Section 7.3. This time, we use \(N=73,474\) and estimate \(f^{est}_{d}\) for \(P \prec X\) with Beta parameters \(a=72,288\) and \(b=1186\). As above, we find evidence of skill in positive estimates of \(\alpha _d\) for all desiderata except \(P \prec A\) and \(X \prec A\), which are negative. The most common sample median history rank in this estimate is 33 with a range of [32,33], which is lower than the median rank of 53 in the Microsoft estimate from Section 7.3, still beats the median rank of 11 assuming uniform event probabilities. The results are shown in Figure 7.

As described above, in an ideal CVD situation, each observed history would achieve all 11 desiderata \(\mathbb {D}\). Realistically, this is unlikely to happen. We can at least state that we would prefer that most cases reach fix ready before attacks (\(F \prec A\)). Per Table 4, even in a world without skill we would expect \(F \prec A\) to hold in 73% of cases. This means that \(\alpha _{F \prec A} \lt 0\) for anything less than a 0.73 success rate. Doing just barely better than random (\(\epsilon \gt \alpha _d \gt 0\) for \(\epsilon \approx 0\)) is not terribly satisfying, so we would like to seek outcomes in which \(\alpha _{F \prec A} \ge c_{F \prec A} \ge 0\) for some benchmark constant \(c_{F \prec A}\). In fact, we propose to generalize this for any \(d \in \mathbb {D}\), such that \(\alpha _d\) should be greater than some benchmark constant \(c_d\)where \(c_d\) is a based on observations of \(\alpha _d\) collected across some collection of CVD cases.

We propose as a starting point a naïve benchmark of \(c_d = 0\). This is a low bar, as it only requires that CVD actually do better than possible events which are independent and identically distributed (i.i.d.) within each case. For example, given a history in which \((V, F, P)\) have already happened, \(D\), \(X\), or \(A\) are equally likely to occur next.

The i.i.d. assumption may not be warranted. We anticipate that event ordering probabilities might be conditional on history: for example, \(p(X|P) \gt p(X|\lnot P)\) or \(p(A|X) \gt p(A|\lnot X)\). If the i.i.d. assumption fails to hold for \(e \in E\), observed frequencies of \(h \in H\) could differ significantly from the rates predicted by the uniform probability assumption behind Table 4.

Some example suggestive observations are:

On their own these observations can equally well support the idea that we are broadly observing skill in vulnerability response, rather than that the world is biased from some other cause. However, we could choose a slightly different goal than differentiating skill and “blind luck” as represented by the i.i.d. assumption. One could aim at measuring “more skillful than the average for some set of teams” rather than more skillful than blind luck.

If this were the “reasonable” baseline expectation (RQ2), the primary limitation is available observations. This model helps overcome this limitation because it provides a clear path toward collecting relevant observations. For example, by collecting dates for the six \(e \in E\) for a large sample of vulnerabilities, we can get better estimates of the relative frequency of each history \(h\) in the real world. It seems as though better data would serve more to improve benchmarks rather than change expectations of the role of chance.

As an applied example, if we take the first item in the above list as a broad observation of \(f_{D \prec A} = 0.95\), we can plug into Equation (18) to get a potential benchmark of \(\alpha _{D \prec A} = 0.94\), which is considerably higher than the naïve generic benchmark \(\alpha _d = 0\). It also implies that we should expect actual observations of \(h \in H\) to skew toward the 19 \(h\) in which \(D \prec A\) around 19x as often as the 51 \(h\) in which \(D \not\prec A\). Similarly, if we interpret the second item as a broad observation of \(f_{D \prec X} = 0.844\), we can then compute a benchmark \(\alpha _{D \prec X} = 0.81\), which is again a significant improvement over the naïve \(\alpha _d = 0\) benchmark.

MPCVD occurs when multiple vendors or stakeholders are involved in the disclosure process. The need for MPCVD arises due to the inherent nature of the software supply chain [22]. A vulnerability that affects a low-level component (such as a library or operating system API) can require fixes from both the originating vendor and any vendor whose products incorporate the affected component. Alternatively, vulnerabilities are sometimes found in protocol specifications or other design-time issues where multiple vendors may have each implemented their own components based on a vulnerable design.

A common problem in MPCVD is that of fairness: Coordinators are often motivated to optimize the CVD process to maximize the deployment of fixes to as many end users as possible while minimizing the exposure of users of other affected products to unnecessary risks.

The model presented in this article provides a way for coordinators to assess the effectiveness of their MPCVD cases. In an MPCVD case, each vendor/product pair effectively has its own 6-event history \(h_a\). We can therefore recast MPCVD as a set of histories \(M\) drawn from the possible histories \(H\):Where \(m = |M| \ge 1\). The edge case when \(|M| = 1\) is simply the regular (non-multiparty) case.

We can then set desired criteria for the set \(M\), as in the benchmarks described in Section 8.1. In the MPCVD case, we propose to generalize the benchmark concept such that the median \(\tilde{\alpha _d}\) should be greater than some benchmark constant \(c_d\)

In real-world cases where some outcomes across different vendor/product pairs will necessarily be lower than others, we can also add the criteria that we want the variance of each \(\alpha _d\) to be low. An MPCVD case having high median \(\alpha _d\) with low variance across vendors and products involved will mean that most vendors achieved acceptable outcomes.

To summarize:

CVD stakeholders include vendors, system owners, the security research community, coordinators, and governments [22]. Different stakeholders might want different things, although most benevolent parties will likely seek some subset of \(\mathbb {D}\). Because \(H\) is the same for all stakeholders, the expected frequencies shown in Table 4 will be consistent across any such variations in desiderata. A discussion of some stakeholder preferences is given below, while a summary can be found in Table 5. We notate these variations of the set of desiderata \(\mathbb {D}\) with subscripts: \(\mathbb {D}_v\) for vendors, \(\mathbb {D}_s\) for system owners, \(\mathbb {D}_c\) for coordinators, and \(\mathbb {D}_g\) for governments. In Table 3, we defined a preference ordering between every possible pairing of events; therefore, \(\mathbb {D}\) is the largest possible set of desiderata. We thus expect the desiderata of benevolent stakeholders to be a subset of \(\mathbb {D}\) in most cases. That said, we note a few exceptions in the text that follows.