I happened to see a tweet the other day that said:
“If you want a bug fixed quickly, sell it on the Russian black market. It’ll be so heavily abused that the vendor will patch out of cycle.”
Now, it could be the joke’s on me and the 126 people who retweeted this message (a large number for security tweets) were in on it. Or, they all don’t realize how ludicrous this is. In the infosec/techrisk field, this kind of thinking is not unheard of so I will treat this as if it is legitimate.
The tweet highlights just how biased people can be when they get caught up in a notion without understanding the implications. Apparently, this tweeter wants bugs fixed quickly. At first blush this seems like a simple enough concern, shared by many. But peel one small layer deeper and the statement often ends up being “want bugs that you know about (or worse, that you discovered) fixed quickly after your discovery?” It becomes easier to see how certainty bias and the focusing illusion come into play.
there is plenty of evidence to demonstrate that it is unlikely that the bug in question is the only bug that remains unfixed – we have any number of bugs in various stages of discovery and disclosure all the time. If we assume that the average bug takes 120 days from discovery (or at least vendor notification) to patch release, and vendors generally release patches on a monthly cycle, then there are four months of undisclosed (typically) vulns on your systems that remain upatched.
Now, you might assert that this makes the point – of course we want them patched “quickly.” But that completely ignores the tradeoffs. If your patch is prioritized, that means another one must be de-prioritized. I suppose you could say that security developers aren’t operating at capacity and therefore can absorb the workload for both bugs, but that seems farfetched to me and doesn’t scale in any case.
Of course, the worst part of the tweet is the part that purposely increases risk by increasing the threat of compromise. No need for a soapbox/high horse here to recognize that purposely inflating risk to get attention in spite of how detrimental it is to Internet users is certainly unprofessional and really kind of pathetic.
Too often, folks get caught up in some perceived solution to a problem and neglect the bigger picture. Many times, the bugfinder is sincerely concerned. But it is important to understand the cost/benefit and risk dynamics involved if you really want to positively affect Internet risk.