Bug Collisions Meet Government Vulnerability Disclosure

Presented at Black Hat USA 2017, July 27, 2017, 11 a.m. (50 minutes)

How often does someone find your secret bugs? The Vulnerability Equities Process (VEP) helps determine if a software vulnerability known to the U.S. government will be disclosed or kept secret. A key part of that calculation is the likelihood that some other party may have found the same vulnerability. Yet, for years there has been little to no good analysis to say how often two parties independently discover the same vulnerability.

Suddenly in 2017, two studies which addressed this question were released within days of each other with different findings. Join us for a discussion with the lead authors and several luminaries in the security space as we pick apart the key findings from these reports and their implications for the policy community.


  • Trey Herr - Fellow, Belfer Center Cyber Security Project, Harvard Kennedy School
    Trey Herr, Ph.D, is a postdoctoral fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. His work focuses on trends in state developed malicious software, the structure of criminal markets for malware components, and the proliferation of malware. Trey is co-editor of Cyber Insecurity — Navigating the Perils of the Next Information Age, an edited volume on cybersecurity policy, and is a non-resident fellow with New America's Cybersecurity Initiative. He previously worked with the Department of Defense to develop a risk assessment methodology for information security threats. He holds a Ph.D. and M.A. in Political Science from George Washington University and a B.S. in Theatre and Political Science from Northwestern University.
  • Lillian Ablon - Information Scientist; Professor, Pardee RAND Graduate School, RAND Corporation
    Lillian Ablon is an information scientist at the RAND Corporation and a professor at the Pardee RAND Graduate School. She conducts technical and policy research on topics spanning cyber security, emerging technologies, privacy and security in the digital age, computer network operations, digital exhaust, and the human element. Recent research topics include longevity and collision rates of zero-day software vulnerabilities and their exploits; cyber risks to the supply chain; coverages and risks of cyber insurance; consumer attitudes towards data breach notifications; the intersection of commercial technology companies and public policy; black markets for cybercrime tools and stolen data as well as the white, grey, and black markets for zero-day exploits; social engineering and open source intelligence; methods for zero-day vulnerability detection; tools and technologies for greater cyber situational awareness; future and emerging technologies and the 2020-2040 operating environment; and privacy concerns with digital identity. Prior to joining RAND, Ablon worked with some of the most cutting edge technologies in cryptography, network exploitation and vulnerability analysis, and mathematics. She won an "uber" black badge at DEFCON21 and holds a B.A. in mathematics from the University of California, Berkeley, and an M.S. in mathematics from Johns Hopkins University.
  • Kim Zetter - Journalist and Author, \  
    Kim Zetter is an award-winning investigative journalist and author who covers cybersecurity, cybercrime, cyber warfare, privacy and civil liberties. She has been covering computer security and the hacking underground since 1999, most currently as a staff reporter for Wired, where she has been reporting since 2003. In 2006 she broke a story for Salon about a secret NSA room at an AT&T facility in Missouri that was believed to be siphoning internet data from the telecom's network operations center. In 2011, she wrote an extensive feature about Stuxnet, a sophisticated digital weapon that was launched by the U.S. and Israel to sabotage Iran's uranium enrichment program. It was the first virus-worm found in the wild that was designed to cause physical destruction, rather than simply steal data. She recently completed a book on the topic--Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.
  • Katie Moussouris - CEO, Luta Security, Inc.
    Katie Moussouris, a noted authority on vulnerability disclosure & bug bounties, is the founder and CEO of Luta Security, Inc.. Luta Security advises companies, lawmakers, & governments on the benefits of hacking & security research to help make the internet safer for everyone. Katie is a hacker - first hacking computers, now hacking policy & regulations. Katie's was instrumental in helping the US Department of Defense start the government's first bug bounty program, called "Hack the Pentagon." Which was followed by "Hack the Army." Her earlier Microsoft work encompassed industry-leading initiatives such as Microsoft Vulnerability Research and its bug bounty programs. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vuln disclosure (29147), vuln handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market. She is a New America Foundation Fellow and Harvard Belfer Affiliate. Katie is on the CFP review board for RSA, O'Reilly Security Conference, Shakacon, and is an adviser to the Center for Democracy and Technology.
  • Jason Healey - Senior Research Scholar in the Faculty of International and Public Affairs, Columbia SIPA
    Jason Healey is a Senior Research Scholar at Columbia University's School for International and Public Affairs specializing in cyber conflict, competition and cooperation. Prior to this, he was the founding director of the Cyber Statecraft Initiative of the Atlantic Council where he remains a Senior Fellow. He has authored dozens of published articles and is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. During his time in the White House, he was a director for cyber policy, coordinating efforts to secure US cyberspace and critical infrastructure. At Goldman Sachs, he created their first cyber incident response team and later oversaw the bank's crisis management and business continuity in Asia. He started his career as a US Air Force intelligence officer with jobs at the Pentagon and National Security Agency and is president of the Cyber Conflict Studies Association.


Similar Presentations: